On 2020-12-26 14:48:27 -0600 (-0600), Pete Zaitcev wrote:
Does anyone here happen to know how to deal with something like this: [...] debug1: Offering public key: /q/zaitcev/.ssh/id_rsa_ostk2014 RSA SHA256:nz5*** explicit agent debug1: send_pubkey_test: no mutual signature algorithm debug1: No more authentication methods to try. [...] I guess that ssh client in Fedora 33 has a cipher suite that has no intersection with the ssh server at review.opendev.org. But I do not understand what the server is offering, so I do not know what I need to enable.
You're basically on track with your assumptions. OpenSSH 8.4 (client included in Fedora 33) has deprecated[*] ssh-rsa authentication because it relies on SHA-1 hashes but Fedora decided[**] to go a step further and update their own crypto policy to just go ahead and break it completely. You might try and see whether the UpdateHostKeys option works around this (our current Gerrit version does have SHA-2 support for RSA keys). Supposedly, switching to using elliptic curve keys (ed25519 or ecdsa) is another way to solve it. If that doesn't do the trick, you can add a host entry for review.opendev.org in your ~/.ssh/config file to set PubkeyAcceptedKeyTypes +rsa-sha2-256,rsa-sha2-512 so that it will look for them. There are also ways to downgrade the security of your connections, but I won't enumerate them here since you presumably chose Fedora 33 for a reason and I would rather not argue against their system security choices. [*] https://www.openssh.com/releasenotes.html [**] https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 -- Jeremy Stanley