SSH woes w/ git server

Jürgen Spitzmüller spitz at lyx.org
Fri Oct 15 05:38:00 UTC 2021


Am Freitag, dem 15.10.2021 um 07:02 +0200 schrieb Jürgen Spitzmüller:
> Dear all
> 
> After a recent software update, I an unable to pull from lyx git.

The cause is most likely this change in OpenSSH 8.8p1:

"This release disables RSA signatures using the SHA-1 hash algorithm by
default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K. For most users, this change should be
invisible and there is no need to replace ssh-rsa keys. OpenSSH has
supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and
existing ssh-rsa keys will automatically use the stronger algorithm
where possible. Incompatibility is more likely when connecting to older
SSH implementations that have not been upgraded or have not closely
tracked improvements in the SSH protocol. For these cases, it may be
necessary to selectively re-enable RSA/SHA1 to allow connection and/or
user authentication via the HostkeyAlgorithms and
PubkeyAcceptedAlgorithms options."

Temporary (unsafe) local workaround seems to be:
PubkeyAcceptedAlgorithms=+ssh-rsa in the ssh_config or sshd_config for
the endpoint

Suggested strategy seems to be to update our server and get rid of the
unsafe signatures.

Jürgen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lyx.org/pipermail/lyx-devel/attachments/20211015/3e3f27a0/attachment.asc>


More information about the lyx-devel mailing list