2

I am setting up a new CentOS 9 Stream container as a part of a CI system. It needs to make an SSH connection to download some code from a legacy Git host using an ssh-rsa key (which is considered an acceptable risk on this network with this host).

I start by generating a key.

ssh-keygen -t ssh-rsa -f test_rsa_key

Running with the key I get a "no mutual signature algorithm" error.

ssh -v -i test_rsa_key user@server

debug1: Next authentication method: publickey
debug1: Offering public key: test_rsa_key RSA SHA256:<snip> explicit
debug1: send_pubkey_test: no mutual signature algorithm
debug1: No more authentication methods to try.
user@server: Permission denied (publickey).

I can explicitly enable ssh-rsa with -oPubkeyAcceptedKeyTypes=+ssh-rsa, but now I get a libcrypto error.

ssh -oPubkeyAcceptedKeyTypes=+ssh-rsa -v -i test_rsa_key user@server

debug1: Next authentication method: publickey
debug1: Offering public key: test_rsa_key RSA SHA256:<snip> explicit
debug1: Server accepts key: test_rsa_key RSA SHA256:<snip> explicit
debug1: identity_sign: sshkey_sign: error in libcrypto
sign_and_send_pubkey: signing failed for RSA "test_rsa_key": error in libcrypto
debug1: No more authentication methods to try.
user@server: Permission denied (publickey).

Is it possible that support for the legacy ssh-rsa signature method is disabled in CentOS 9 Stream at the libcrypto level? How can I make a connection with this key on the latest CentOS?

ddulaney
  • 151
  • 6

1 Answers1

3

Found an answer, courtesy of a similar issue somebody else had on the Red Hat Bugzilla (login required).

The issue is caused by the deprecation of SHA1. You can work around this by setting a crypto policy of LEGACY following the instructions here.

The command is:

update-crypto-policies --set LEGACY

Before running, review the linked page because it does enable some quite old crypto settings, which might be too insecure for your use-case.

ddulaney
  • 151
  • 6