On Sun, 20 Sep 2020 at 13:12, Pavel Raiskup <praiskup@redhat.com> wrote:

After upgrade of one of my servers to F33, I noticed that I can not ssh to
one of my other servers running Debian 9 system (relatively freshly EOLed,
I need to do something about it). On F33 I always need to:

$ ssh -oPubkeyAcceptedKeyTypes=+ssh-rsa user@debian-9-host

The changes in Fedora packages led me to:

https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/b298a9e1

Which led me to:

https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

I'm curious about the effects of the change. It claims that RSA 2048 >= should
stay accepted by DEFAULT, and from what I can tell the host server key seems to
be RSA 2048 (at least that's what is generated by default on Debian 9):

$ ssh-keygen -l -f ssh_host_rsa_key.pub
2048 SHA256:<...> root@debian-9-host (RSA)

Can anyone translate to me if this is really expected or a bug? Effect is that
Fedora 33 clients can not ssh to Debian 9 hosts by default (I'm not sure about
the supported Debian 10, and the key quality there).

My guess looking at the changes is that it is not key length which is caulsing problems but with the SHA used in the key to verify it.

from the Cygwin manpage I am looking at:

The available RSA signature variants are “ssh-rsa” (SHA1 signatures, not recommended), “rsa-sha2-256”, and “rsa-sha2-512” (the default).

I am guessing this key was generated with the older ssh-rsa and so the new boxes won't work unless you force it. I would regenerate the key with a newer sig :).

Pavel

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Stephen J Smoogen.