ssh-rsa + sha1 is no longer allowed by recent openssh
Bug #1962726 reported by
Takashi Kajinami
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Opinion
|
Wishlist
|
Unassigned | ||
Bug Description
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8
https:/
```
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
```
Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are generally recommended.
| summary: |
- ssh-rsa key will not be allowed in future version of openssl/ssh + ssh-rsa key is no longer allowed by recent openssh |
| description: | updated |
| description: | updated |
Revision history for this message
| Sylvain Bauza (sylvain-bauza) wrote Re: ssh-rsa key is no longer allowed by recent openssh | #1 |
| Changed in nova: | |
| importance: | Undecided → Wishlist |
| status: | New → Opinion |
Revision history for this message
| Takashi Kajinami (kajinamit) wrote | #2 |
| summary: |
- ssh-rsa key is no longer allowed by recent openssh + ssh-rsa + sha1 is no longer allowed by recent openssh |
Revision history for this message
| sean mooney (sean-k-mooney) wrote | #3 |
To post a comment you must log in.
We discussed this during the previous Nova meeting and we agreed on the fact this is a correct issue, but we need to deprecate the generation API (and continue to accept to import the public keys).
As this means a new API microversion, we need a spec for it so we'll discuss this during the next PTG.
Closing the bug.