2022-03-02 09:45:23 |
Takashi Kajinami |
bug |
|
|
added bug |
2022-03-02 09:47:06 |
Takashi Kajinami |
summary |
ssh-rsa key will not be allowed in future version of openssl/ssh |
ssh-rsa key is no longer allowed by recent openssh |
|
2022-03-02 09:48:00 |
Takashi Kajinami |
description |
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa will be disabled in upcoming openssl/openssh, and the plan is to remove it completely in the future.
For example in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are generally recommended. |
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8
https://www.openssh.com/txt/release-8.8
```
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
```
Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are generally recommended. |
|
2022-03-02 09:48:07 |
Takashi Kajinami |
description |
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8
https://www.openssh.com/txt/release-8.8
```
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
```
Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are generally recommended. |
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8
https://www.openssh.com/txt/release-8.8
```
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
```
Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are generally recommended. |
|
2022-03-08 17:48:18 |
Sylvain Bauza |
nova: importance |
Undecided |
Wishlist |
|
2022-03-08 17:48:22 |
Sylvain Bauza |
nova: status |
New |
Opinion |
|
2022-03-09 23:57:53 |
Takashi Kajinami |
summary |
ssh-rsa key is no longer allowed by recent openssh |
ssh-rsa + sha1 is no longer allowed by recent openssh |
|