ssh-rsa + sha1 is no longer allowed by recent openssh
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8
https:/
```
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
```
Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are generally recommended.
summary: |
- ssh-rsa key will not be allowed in future version of openssl/ssh + ssh-rsa key is no longer allowed by recent openssh |
description: | updated |
description: | updated |
summary: |
- ssh-rsa key is no longer allowed by recent openssh + ssh-rsa + sha1 is no longer allowed by recent openssh |
We discussed this during the previous Nova meeting and we agreed on the fact this is a correct issue, but we need to deprecate the generation API (and continue to accept to import the public keys).
As this means a new API microversion, we need a spec for it so we'll discuss this during the next PTG.
Closing the bug.