LinkedIn Sourceforge Twitter

Vincent's Blog

Pleasure in the job puts perfection in the work (Aristote)

The "ssh-rsa" signature type is now disabled by default

Posted on 2021-10-17 20:19:00 from Vincent in OpenBSD

Latest changes in ssh rejects ssh-rsa.


Introduction

As stated many years ago RSA/SHA1 is weak and should not be used.

In OpenBSD 7.0, released on October 14th 2021, the last version of OpenSSH has removed this weak encryption algorithms from default config.

This removal has been communicated in the mailing list on August, 30 2021

In several articles, we can read that SHA-1 is not generally broken for every kind of use case. But, it is considered that it provides insufficient protection against collision attacks which makes it unsuitable as a signature algorithm for example in certificates
Moreover the US government's National Institute of Standards and Technology (NIST) said it should not be trusted beyond January 2014 (here)

Issue

I have a stupid/simple Android devise taking pictures every 30 minutes. To catch those pictures, I using the Apllication called Primitive ftpd.

Since the last release of OpenBSD I receive this error:

99%obsd:~/temp $ sftp -P 6922 vi@192.168.3.59 
Unable to negotiate with 192.168.3.59 port 6922: no matching host key type found. Their offer: ssh-rsa
Connection closed

Solution

To solve this for a specific machine, you can adapt your ~/.ssh/config file like this:

Host 192.168.3.59
    Hostname 192.168.3.59
    HostKeyAlgorithms=+ssh-rsa

By doing so, you add the rsa algorithm just for this machine.

Then, your ssh, sftp or scp command will work like previously.



5, 5
displayed: 1903



What is the first letter of the word Python?