yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88411
[Bug 1962726] [NEW] ssh-rsa key is no longer allowed by recent openssh
Public bug reported:
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8
https://www.openssh.com/txt/release-8.8
```
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
```
Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are generally
recommended.
** Affects: nova
Importance: Undecided
Status: New
** Summary changed:
- ssh-rsa key will not be allowed in future version of openssl/ssh
+ ssh-rsa key is no longer allowed by recent openssh
** Description changed:
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
- However ssh-rsa will be disabled in upcoming openssl/openssh, and the plan is to remove it completely in the future.
- For example in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
+ However ssh-rsa is no longer supported by default since openssh 8.8
+
+
+ https://www.openssh.com/txt/release-8.8
+
+ ```
+
+ This release disables RSA signatures using the SHA-1 hash algorithm
+ by default. This change has been made as the SHA-1 hash algorithm is
+ cryptographically broken, and it is possible to create chosen-prefix
+ hash collisions for <USD$50K [1]
+ ```
+
+ Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are generally
recommended.
** Description changed:
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8
-
https://www.openssh.com/txt/release-8.8
```
-
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
```
Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are generally
recommended.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1962726
Title:
ssh-rsa key is no longer allowed by recent openssh
Status in OpenStack Compute (nova):
New
Bug description:
Description
===========
Currently create Key-pair API without actual key content returns the key generated at server side which is formatted in ssh-rsa.
However ssh-rsa is no longer supported by default since openssh 8.8
https://www.openssh.com/txt/release-8.8
```
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
```
Actually in current CentOS 9 Stream, SHA1 is disabled by default and ssh-rsa no longer works.
Fedora disabled SHA1/ssh-rsa by default a while ago.
It's be required to support other formats like edcsa which are
generally recommended.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1962726/+subscriptions
Follow ups
