View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0004754Rocky-Linux-8crypto-policiespublic2023-11-16 09:502023-11-16 09:50
ReporterSusanne --- Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Summary0004754: Crypto-policies Option "min rsa size" not working in RockyLinux 8
DescriptionHello,

regadless of the Crypto-policy set, it is possible to login with a rsa 1024 key.

I think this is possibly due to the OpenSSH version installed in RockyLinux 8.
The "min rsa size" in the Crypto-Policies set the value for the option "RequiredRSASize" in OpenSSH configuration, but this option was just implemented in OpenSSH version 9.0.
Fedora 37 has implemented the patch openssh-server-8.8p1-7.fc37 which fixed the issue.
Steps To Reproduce- generate an rsa 1024 key and copy this to the server
ssh-keygen -t rsa -b 1024 -f ~/.ssh/cp_rsa1024
ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@rocky8

- set crypto-policy to something bigger then LEGACY
update-crypto-policies --set Default
reboot

- login with the 1024key
ssh -i ~/.ssh/crypt_1024rsa root@root@rocky8 -v

expected behavior:
debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit,
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,
debug1: Next authentication method: password
root@root@rocky8 password

actual behavior:
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit,
debug1: Server accepts key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit,
debug1: Authentication succeeded (publickey).
Authenticated to rocky8 ([**.**.**.**]:22).


TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2023-11-16 09:50 Susanne --- New Issue