Apparently, RSA is insecure, so some time ago it was deprecated for use
with SSH. It is now actually disabled as of Ubuntu 22.04.
On 7/14/22 7:22 PM, Pancho wrote:
Apparently, RSA is insecure, so some time ago it was deprecated for use
with SSH. It is now actually disabled as of Ubuntu 22.04.
Is it truly disabled?
SHA1 support can be re-enabled in /etc/ssh/ssh_config with "PubkeyAcceptedKeyTypes +ssh-rsa" and a reboot but it is indeed unsafe.
On 7/14/22 10:44 PM, A. Dumas wrote:
SHA1 support can be re-enabled in /etc/ssh/ssh_config with
"PubkeyAcceptedKeyTypes +ssh-rsa" and a reboot but it is indeed unsafe.
You shouldn't need to reboot. You should be able to restart the SSH
daemon independently, without a reboot.
Well, of course, but if a user can't even google their problem and a
possible solution, then restarting a service might also be too much
to ask. Reboot is much easier and also works ¯\_(ツ)_/¯
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
On 7/14/22 10:44 PM, A. Dumas wrote:
SHA1 support can be re-enabled in /etc/ssh/ssh_config with
"PubkeyAcceptedKeyTypes +ssh-rsa" and a reboot but it is indeed unsafe.
You shouldn't need to reboot. You should be able to restart the SSH
daemon independently, without a reboot.
Well, of course, but if a user can't even google their problem and a
possible solution, then restarting a service might also be too much to ask. Reboot is much easier and also works ¯\_(ツ)_/¯
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
On 7/14/22 7:22 PM, Pancho wrote:
Apparently, RSA is insecure, so some time ago it was deprecated for use
with SSH. It is now actually disabled as of Ubuntu 22.04.
Is it truly disabled?
It definitely isn't. The SHA1 variant is. If you generate a new pair it
will use SHA2 by default, I believe (can't check now but had no trouble generating one when setting up 22.04, without specifying the
algorithm).
If you want to be explicit, use "ssh-keygen -t rsa-sha2-512 -b 2048"
(good enough, really, and 4096 will take much longer on a Pi).
A. Dumas <alexandre@dumas.fr.invalid> wrote:
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
On 7/14/22 10:44 PM, A. Dumas wrote:
SHA1 support can be re-enabled in /etc/ssh/ssh_config withYou shouldn't need to reboot. You should be able to restart the SSH
"PubkeyAcceptedKeyTypes +ssh-rsa" and a reboot but it is indeed unsafe. >>>
daemon independently, without a reboot.
Well, of course, but if a user can't even google their problem and a
possible solution, then restarting a service might also be too much to ask. >> Reboot is much easier and also works ¯\_(ツ)_/¯
Maybe, although:
sudo service ssh reload
(or 'sudo service ssh restart')
isn't hard. It's more complicated to edit the config file.
A. Dumas <alexandre@dumas.fr.invalid> writes:
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
On 7/14/22 7:22 PM, Pancho wrote:
Apparently, RSA is insecure, so some time ago it was deprecated for use >>>> with SSH. It is now actually disabled as of Ubuntu 22.04.
Is it truly disabled?
It definitely isn't. The SHA1 variant is. If you generate a new pair it
will use SHA2 by default, I believe (can't check now but had no trouble
generating one when setting up 22.04, without specifying the
algorithm).
RSA keys are not bound to a particular signature algorithm, that is a separate piece of configuration.
If you want to be explicit, use "ssh-keygen -t rsa-sha2-512 -b 2048"
(good enough, really, and 4096 will take much longer on a Pi).
“ssh-keygen -t rsa” is sufficient.
A. Dumas <alexandre@dumas.fr.invalid> wrote:
Grant Taylor <gtaylor@tnetconsulting.net> wrote:
On 7/14/22 10:44 PM, A. Dumas wrote:
SHA1 support can be re-enabled in /etc/ssh/ssh_config withYou shouldn't need to reboot. You should be able to restart the SSH
"PubkeyAcceptedKeyTypes +ssh-rsa" and a reboot but it is indeed unsafe. >> >
daemon independently, without a reboot.
Well, of course, but if a user can't even google their problem and a
possible solution, then restarting a service might also be too much to ask. >> Reboot is much easier and also works ¯\_(ツ)_/¯
Maybe, although:
sudo service ssh reload
(or 'sudo service ssh restart')
isn't hard. It's more complicated to edit the config file.
Except that it's "service sshd", not "service ssh",
On Mon, 18 Jul 2022 17:49:38 +0000, A. Dumas wrote:
Joe Beanfish <joebeanfish@nospam.duh> wrote:
Except that it's "service sshd", not "service ssh",
Nope, not on systemd at least where it should be ssh.
Depends on distro I guess. On CentOS, it's
# systemctl status ssh
Unit ssh.service could not be found.
# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 974 (sshd)
CGroup: /system.slice/sshd.service
└─974 /usr/sbin/sshd -D
One more reason the reboot is the simpler instruction that always works
for a noob. :)
Joe Beanfish <joebeanfish@nospam.duh> wrote:
Except that it's "service sshd", not "service ssh",
Nope, not on systemd at least where it should be ssh.
But then perhaps a noob wouldn't have keys generated in 2014, although
a quick google suggests ssh-keygen only changed the default of RSA-SHA
from SHA1 to SHA2 in release OpenSSH 8.1/8.1p1 (2019-10-09), with the
warning introduced OpenSSH 7.7/7.7p1 (2018-04-02).
Pancho <Pancho.Jones@proton.me> writes:
But then perhaps a noob wouldn't have keys generated in 2014, although
a quick google suggests ssh-keygen only changed the default of RSA-SHA
from SHA1 to SHA2 in release OpenSSH 8.1/8.1p1 (2019-10-09), with the
warning introduced OpenSSH 7.7/7.7p1 (2018-04-02).
Existing RSA keys will work fine with SHA-2 signatures. Nobody needs to generate new keys (unless they want to migrate away from RSA
entirely).
Pancho <Pancho.Jones@proton.me> writes:
But then perhaps a noob wouldn't have keys generated in 2014, although
a quick google suggests ssh-keygen only changed the default of RSA-SHA
from SHA1 to SHA2 in release OpenSSH 8.1/8.1p1 (2019-10-09), with the
warning introduced OpenSSH 7.7/7.7p1 (2018-04-02).
Existing RSA keys will work fine with SHA-2 signatures. Nobody needs to generate new keys (unless they want to migrate away from RSA
entirely).
On 20/07/2022 08:36, Richard Kettlewell wrote:
Pancho <Pancho.Jones@proton.me> writes:
But then perhaps a noob wouldn't have keys generated in 2014, although
a quick google suggests ssh-keygen only changed the default of RSA-SHA
from SHA1 to SHA2 in release OpenSSH 8.1/8.1p1 (2019-10-09), with the
warning introduced OpenSSH 7.7/7.7p1 (2018-04-02).
Existing RSA keys will work fine with SHA-2 signatures. Nobody needs to
generate new keys (unless they want to migrate away from RSA
entirely).
Thanks for clarifying that Richard.
---druck
Sysop: | Weed Hopper |
---|---|
Location: | Clearwater, FL |
Users: | 14 |
Nodes: | 6 (0 / 6) |
Uptime: | 231:12:24 |
Calls: | 55 |
Calls today: | 1 |
Files: | 50,127 |
D/L today: |
29 files (3,538K bytes) |
Messages: | 275,355 |