Important note for future FreeBSD base system OpenSSH update
Mathieu Arnold
mat at freebsd.org
Mon Sep 20 19:21:21 UTC 2021
On Sun, Sep 12, 2021 at 05:09:45AM +0700, Eugene Grosbein wrote:
> 10.09.2021 1:01, Ed Maste wrote:
>
> > To check whether a server is using the weak ssh-rsa public key
> > algorithm, for host authentication, try to connect to it after
> > removing the ssh-rsa algorithm from ssh(1)'s allowed list:
> >
> > ssh -oHostKeyAlgorithms=-ssh-rsa user at host
> >
> > If the host key verification fails and no other supported host key
> > types are available, the server software on that host should be
> > upgraded.
>
> I have some telco equipment (E1/SS7) based on custom Linux distro built by a vendor:
>
> $ ssh -oHostKeyAlgorithms=-ssh-rsa user at host
> Unable to negotiate with X.X.X.X port 22: no matching host key type found. Their offer: ssh-rsa
>
> I've already asked the vendor for possible upgrade and was told that no upgrade will be available.
>
> Will I be able to use ssh_config and following command to re-enable the feature after planned import?
>
> HostKeyAlgorithms ssh-rsa
Same here, I have many telco and even switches and routers that only
support ssh-rsa, will it be possible to use a ssh_config knob to enable
it back?
--
Mathieu Arnold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210920/63f7aa70/attachment.sig>
More information about the freebsd-security
mailing list