From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: Bryan Turner <bturner@atlassian.com>
Cc: Kevin Kendzia <kevin.kendzia@googlemail.com>,
Git Users <git@vger.kernel.org>
Subject: Re: Issues with newest version of openssh 8.8p1-1
Date: Wed, 29 Sep 2021 22:58:50 +0000 [thread overview]
Message-ID: <YVTvqpjkHuB2c15l@camp.crustytoothpaste.net> (raw)
In-Reply-To: <CAGyf7-FBgmRTmjKFjMi2p5MArGEQh9a4Z6RA6FO-2U4D5jGnmA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1800 bytes --]
On 2021-09-28 at 07:32:05, Bryan Turner wrote:
> Ultimately this isn't a Git issue; it's an SSH issue. My guess would
> be that upgrading to OpenSSH 8.8 picks up the change to stop using RSA
> signatures using SHA-1 hashes by default.[1]
>
> You can update your ~/.ssh/config to add these lines to revert that
> and allow using those keys again:
> Host old-host
> HostkeyAlgorithms +ssh-rsa
> PubkeyAcceptedAlgorithms +ssh-rsa
I should point out that these algorithms are disabled by default because
they are a security risk. This has been announced for a long time now
in OpenSSH and everyone should have either switched key types or enabled
RSA with SHA-2 or both.
> With that said, though, if possible a better solution is to generate
> new SSH keys using ECDSA, Ed25519 or another stronger signature and
> switch to those.
You also need to contact the party operating the server to which you're
trying to push in this case, since it's ultimately the fact that they
don't support RSA with SHA-2 that's the problem.
There are a couple different providers (in my testing just this second,
I found Bitbucket and Azure DevOps) who are still offering only the
ssh-rsa host keys (possibly with ssh-dss as well) and not offering the
rsa-sha2-256 and rsa-sha2-512 algorithms, and only the server operator
can fix those. If the server operator adds support for RSA with SHA-2,
then OpenSSH 8.8 will work just fine. But otherwise, this will continue
to be broken out of the box.
But as for client keys, I do strongly recommend Ed25519 in all cases.
If you have the misfortune of having to use a FIPS-compliant environment
(which I don't recommend in any case), then use RSA with SHA-2.
--
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
next prev parent reply other threads:[~2021-09-29 22:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-28 6:40 Issues with newest version of openssh 8.8p1-1 Kevin Kendzia
2021-09-28 7:32 ` Bryan Turner
2021-09-29 22:58 ` brian m. carlson [this message]
2021-09-28 7:45 ` Carlo Arenas
2021-09-28 7:54 ` Bagas Sanjaya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YVTvqpjkHuB2c15l@camp.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=bturner@atlassian.com \
--cc=git@vger.kernel.org \
--cc=kevin.kendzia@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).