Running ./securedrop-admin verify invokes testinfra, which connects to app/mon using paramiko (instead of e.g. openssh). When testing against noble, it started failing with the error (on the sshd side): userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
However, there's also the signature algorithm ssh-rsa which stands for RSA signatures using the SHA-1 hash algorithm. Since SHA-1 is insecure, OpenSSH disables the ssh-rsa signature algorithm since version 8.8. SSH clients and servers are now expected to use rsa-sha2-256 (RSA signatures with SHA-256) or rsa-sha2-512 (RSA signatures with SHA-512).
Description
Running
./securedrop-admin verifyinvokes testinfra, which connects to app/mon using paramiko (instead of e.g. openssh). When testing against noble, it started failing with the error (on the sshd side):userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]I found https://security.stackexchange.com/questions/270349/understanding-ssh-rsa-not-in-pubkeyacceptedalgorithms which explains:
Reading the paramiko changelog (we're currently on 2.7.2), it seems support was added in 2.9.0: https://www.paramiko.org/changelog.html#2.9.0
Upgrading to 2.9.2 works on a Tails 6 workstation talking to noble; we can verify the focal side in CI.