Tagged: 

Viewing 10 reply threads
  • Author
    Posts
    • #1221 Reply
      Dan
      Guest

      ————————————————————-
      Thank you for installing packages from https://deb.myguard.nl
      You just installed openssh-server.
      Please review the configs in /etc/ssh/sshd_config.d/
      ————————————————————-
      Potentially-incompatible changes
      ================================
      Release 8.8p1 disables RSA signatures using the SHA-1 hash
      algorithm by default. This change has been made as the SHA-1
      hash algorithm is cryptographically broken. For most users,
      this change should be invisible and there is no need to
      replace ssh-rsa keys.

      If you need to connect with such a signature, you can add
      “PubkeyAcceptedAlgorithms +ssh-rsa” to your config.

      We recommend enabling RSA/SHA1 only as a stopgap measure until
      legacy implementations can be upgraded or reconfigured with
      another key type (such as ECDSA or Ed25519).
      ————————————————————–

      How to specifically overcome this issue?
      Every time I update my Ubuntu server using your repo, not the ppa from ubuntu… I got this notice.
      And I cannot login anymore.

      Using MacOS, Termius and Core Shell.

    • #1222 Reply
      Thijs Eilander
      Keymaster

      If it is possible create a new ssh key without rsa/rsa1, it’s unsafe to use.
      Or add PubkeyAcceptedAlgorithms +ssh-rsa and don’t overwrite the config on upgrade

      I see debian has a recent 9.0 package in bookwork/sid, I’ll import that one soon and see how they handle this problem.

    • #1224 Reply
      Dan
      Guest

      So I just choose the default selection, thanks!
      Let me try

      imgur.com/JiUksjv

    • #1225 Reply
      Dan
      Guest

      And also added:
      PubkeyAcceptedAlgorithms +ssh-rsa

      to /etc/ssh/sshd_config

    • #1226 Reply
      Dan
      Guest

      Just an update, I’m still unable to connect.
      Just using root user and password, not a key file.

    • #1230 Reply
      Thijs Eilander
      Keymaster

      Sorry, I didnt receive notifications about this thread.

      If you want to login as root, you need to change /etc/ssh/sshd_config.d/20-security.conf

    • #1231 Reply
      Thijs Eilander
      Keymaster

      I just imported openssh 9.0p1 from debian, so there will be a new build soon.

    • #1223 Reply
      Dan
      Guest

      So I should use the default selection:
      [img]https://i.imgur.com/JiUksjv.png[/img]

      View post on imgur.com

      Thanks, let me try.

    • #3834 Reply
      Thijs Eilander
      Keymaster

      I discontinue the building of OpenSSH, it does not really fit the scope of my project as I don’t need anything changed from the stock OpenSSH. And since a while it doesn’t play nice with systemd. It’s a load of work to maintain openssh while I don’t need changes.

    • #3998 Reply
      Dan
      Guest

      Hi,

      I can still see it’s still included in your edge repo:
      http://edge.deb.myguard.nl:8888

    • #4004 Reply
      Thijs Eilander
      Keymaster

      Thanks for reminding ;-) I was about to trash that repo completely but instead I got to use it for testing again.

      I’ll take a look at it later

Viewing 10 reply threads
Reply To: Reply #1230 in Release 8.8p1 disables RSA signatures using the SHA-1 hash algorithm by default
Your information:




Cancel