crypto-policies FUTURE and inability to SSH into system from CentOS 6 system

Support for security such as Firewalls and securing linux
Post Reply
AkosPrime
Posts: 28
Joined: 2006/01/07 17:51:29

crypto-policies FUTURE and inability to SSH into system from CentOS 6 system

Post by AkosPrime » 2019/10/09 15:56:32

Using the command: update-crypto-policies --set FUTURE (done because the security scanner people complain about some of the ciphers supported in the DEFAULT setting) we found that CentOS 6 systems could no longer SSH into the CentOS 8 systems, and generated this message instead: "no hostkey alg"

I did a 'ssh -vvv' and have the output of that if it's necessary to diagnose the problem. But was wondering if there was a known issue and if something needed to be turned on at either end to make CentOS 6 clients able to connect to CentOS 8 servers via SSH when crypto policy is set to FUTURE?

User avatar
TrevorH
Forum Moderator
Posts: 26923
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: crypto-policies FUTURE and inability to SSH into system from CentOS 6 system

Post by TrevorH » 2019/10/09 16:39:10

If you look in /etc/crypto-policies/back-ends/opensshserver.config it has a list of the various parameters that will be used. It would appear that CentOS 6 is just too old to connect to CentOS 8 in FUTURE mode. I tested FUTURE and FIPS and both fail, both LEGACY and DEFAULT work.

You probably want to read the man pages for both update-crypto-policies and crypto-policies as they have info about what ciphers etc are allowed and which are disabled in each mode.

Edit: there's a message in /var/log/secure which tells you the problem. For me that is

Oct 9 18:00:12 centos8 sshd[11406]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

AkosPrime
Posts: 28
Joined: 2006/01/07 17:51:29

Re: crypto-policies FUTURE and inability to SSH into system from CentOS 6 system

Post by AkosPrime » 2019/10/22 14:32:38

I'm wondering it I can just leave the system in DEFAULT crypto policy, but manually edit the file: /usr/share/crypto-policies/DEFAULT/opensshserver.txt and remove the CBC cipher support. This would allow 6.x systems to connect to 8.x systems during the transitional period, while also keeping the security scanning hg's off my back. I'll test that soon and post my results.

Post Reply

Return to “CentOS 8 - Security Support”