[infra] ssh authentication error with Gerrit

Jeremy Stanley fungi at yuggoth.org
Sat Dec 26 21:14:10 UTC 2020

On 2020-12-26 14:48:27 -0600 (-0600), Pete Zaitcev wrote:
> Does anyone here happen to know how to deal with something like
> this:
> debug1: Offering public key: /q/zaitcev/.ssh/id_rsa_ostk2014 RSA SHA256:nz5*** explicit agent
> debug1: send_pubkey_test: no mutual signature algorithm
> debug1: No more authentication methods to try.
> I guess that ssh client in Fedora 33 has a cipher suite that has
> no intersection with the ssh server at review.opendev.org. But I
> do not understand what the server is offering, so I do not know
> what I need to enable.

You're basically on track with your assumptions. OpenSSH 8.4 (client
included in Fedora 33) has deprecated[*] ssh-rsa authentication
because it relies on SHA-1 hashes but Fedora decided[**] to go a
step further and update their own crypto policy to just go ahead and
break it completely. You might try and see whether the
UpdateHostKeys option works around this (our current Gerrit version
does have SHA-2 support for RSA keys). Supposedly, switching to
using elliptic curve keys (ed25519 or ecdsa) is another way to solve
it. If that doesn't do the trick, you can add a host entry for
review.opendev.org in your ~/.ssh/config file to set
PubkeyAcceptedKeyTypes +rsa-sha2-256,rsa-sha2-512 so that it will
look for them.

There are also ways to downgrade the security of your connections,
but I won't enumerate them here since you presumably chose Fedora 33
for a reason and I would rather not argue against their system
security choices.

[*] https://www.openssh.com/releasenotes.html
[**] https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201226/83f82fd4/attachment.sig>

More information about the openstack-discuss mailing list