Crypto-policies Option "min rsa size" not working in AlmaLinux 8

[5u5ann9]

Hello,

regadless of the Crypto-policy set, it is possible to login with a rsa 1024 key.

I think this is possibly due to the OpenSSH version installed in Almalinux 8. The "min rsa size" in the Crypto-Policies set the value for the option "RequiredRSASize" in OpenSSH configuration, but this option was just implemented in OpenSSH version 9.0. Fedora 37 has implementet the patch openssh-server-8.8p1-7.fc37 which fixed the issue.

Steps to reproduce:

• generate an rsa 1024 key and copy this to the server

  ssh-keygen -t rsa -b 1024 -f ~/.ssh/cp_rsa1024
  ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@almalinux8

• set crypto-policy to something bigger then LEGACY

  update-crypto-policies --set Default
  reboot

• login with the 1024key

  ssh -i ~/.ssh/crypt_1024rsa root@root@almalinux8 -v

  expected behavior:

  debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit,
  debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,
  debug1: Next authentication method: password
  root@root@almalinux8 password

  actual behavior:

  debug1: Next authentication method: publickey
  debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit,
  debug1: Server accepts key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit,
  debug1: Authentication succeeded (publickey).
  Authenticated to almalinux8 ([**.**.**.**]:22).