Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2754

rsa-sha stops working if other sigalgs are enabled

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • rhel-9.1.0
    • libssh
    • None
    • Moderate
    • sst_security_crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem: libssh client stops connecting to openssh server accepting rsa-sha only if other sigalgs are enabled
      Version-Release number of selected component: libssh-0.9.6-3.el9
      How reproducible: reliably

      Steps to Reproduce:

      1. do not run on non-disposable systems
        set -uexo pipefail
        dnf -y install crypto-policies-scripts curl openssh

      [[ -e ~/.ssh/id_rsa ]] || ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ""
      cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
      ssh-keyscan localhost | tee -a .ssh/known_hosts

      echo "sign = RSA-SHA1" \
      > /etc/crypto-policies/policies/modules/RSA-SHA1-ONLY.pmod
      echo "sign = RSA-SHA2-256 RSA-SHA1" \
      > /etc/crypto-policies/policies/modules/RSA-SHA1-PLUS.pmod
      update-crypto-policies --set LEGACY:RSA-SHA1-ONLY

      curl -k sftp://localhost # works
      update-crypto-policies --set LEGACY:RSA-SHA1-PLUS --no-reload
      curl -k sftp://localhost # breaks
      update-crypto-policies --set LEGACY --no-reload
      curl -k sftp://localhost # not gonna work too

            shebburn@redhat.com Sahana Prasad Hebbur Narasimha Prasad
            asosedki@redhat.com Alexander Sosedkin
            Sahana Prasad Hebbur Narasimha Prasad Sahana Prasad Hebbur Narasimha Prasad
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: