Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2754

rsa-sha stops working if other sigalgs are enabled

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • rhel-9.1.0
    • libssh
    • None
    • Moderate
    • rhel-sst-security-crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem: libssh client stops connecting to openssh server accepting rsa-sha only if other sigalgs are enabled
      Version-Release number of selected component: libssh-0.9.6-3.el9
      How reproducible: reliably

      Steps to Reproduce:

      1. do not run on non-disposable systems
        set -uexo pipefail
        dnf -y install crypto-policies-scripts curl openssh

      [[ -e ~/.ssh/id_rsa ]] || ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ""
      cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
      ssh-keyscan localhost | tee -a .ssh/known_hosts

      echo "sign = RSA-SHA1" \
      > /etc/crypto-policies/policies/modules/RSA-SHA1-ONLY.pmod
      echo "sign = RSA-SHA2-256 RSA-SHA1" \
      > /etc/crypto-policies/policies/modules/RSA-SHA1-PLUS.pmod
      update-crypto-policies --set LEGACY:RSA-SHA1-ONLY

      curl -k sftp://localhost # works
      update-crypto-policies --set LEGACY:RSA-SHA1-PLUS --no-reload
      curl -k sftp://localhost # breaks
      update-crypto-policies --set LEGACY --no-reload
      curl -k sftp://localhost # not gonna work too

              shebburn@redhat.com Sahana Prasad Hebbur Narasimha Prasad
              asosedki@redhat.com Alexander Sosedkin
              Sahana Prasad Hebbur Narasimha Prasad Sahana Prasad Hebbur Narasimha Prasad
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: