crypto-policies FUTURE and inability to SSH into system from CentOS 6 system

Support for security such as Firewalls and securing linux
Post Reply
AkosPrime
Posts: 22
Joined: 2006/01/07 17:51:29

crypto-policies FUTURE and inability to SSH into system from CentOS 6 system

Post by AkosPrime » 2019/10/09 15:56:32

Using the command: update-crypto-policies --set FUTURE (done because the security scanner people complain about some of the ciphers supported in the DEFAULT setting) we found that CentOS 6 systems could no longer SSH into the CentOS 8 systems, and generated this message instead: "no hostkey alg"

I did a 'ssh -vvv' and have the output of that if it's necessary to diagnose the problem. But was wondering if there was a known issue and if something needed to be turned on at either end to make CentOS 6 clients able to connect to CentOS 8 servers via SSH when crypto policy is set to FUTURE?

User avatar
TrevorH
Forum Moderator
Posts: 26582
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: crypto-policies FUTURE and inability to SSH into system from CentOS 6 system

Post by TrevorH » 2019/10/09 16:39:10

If you look in /etc/crypto-policies/back-ends/opensshserver.config it has a list of the various parameters that will be used. It would appear that CentOS 6 is just too old to connect to CentOS 8 in FUTURE mode. I tested FUTURE and FIPS and both fail, both LEGACY and DEFAULT work.

You probably want to read the man pages for both update-crypto-policies and crypto-policies as they have info about what ciphers etc are allowed and which are disabled in each mode.

Edit: there's a message in /var/log/secure which tells you the problem. For me that is

Oct 9 18:00:12 centos8 sshd[11406]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 8 - Security Support”