Sunday, 2021-09-26

fungiclarkb: openssh 8.8 was released today, and drops traditional rsa+sha1 signatures, so this may be incentive for gerrit/mina to implement rfc 8332 support15:39
fungiworkaround in 8.8 will be to reenable (ideally per-host) with HostkeyAlgorithms +ssh-rsa and PubkeyAcceptedAlgorithms +ssh-rsa15:40
Clark[m]fungi: if they drop sha1 and default to sha256 then Gerrit should work. It is only an issue when the default fallback remains sha119:05
Clark[m]This is what fedora got wrong in their deprecation. I hope openssh proper gets it right19:05
fungiahh, maybe. the release notes seemed to imply that rfc 8332 support was needed for that, but maybe not. i guess we'll find out19:34
Clark[m]fungi: mina supports sha2 with rsa. What it is missing is the key exchange extension to negotiate sha2 instead of sha1. If the client assumes sha2 it should work20:56
fungihopefully that's what it will do, but that's what i'm not sure about (will it even try rsa if no hash negotiation support is there?)21:20
Clark[m]In the old system the way it worked was you do rsa+sha1 as default fallback if nothing else can be negotiated. One of the RFCs explicitly states this default fallback should be changed when sha1 is removed21:31
Clark[m]Whether or not the software gets updated to do that is definitely an issue as on fedora21:31

Generated by 2.17.2 by Marius Gedminas - find it at!