Open amarinderca opened 6 months ago
The "workaround" is to:
ssh-rsa-cert-v01@openssh.com
HostKeyAlgorithms and PubkeyAcceptedAlgorithms on Alma 9 by overriding the Crypto Policy (server and client)Any plans to upgrade the tctl auth sign
command to allow create 'better' than the current type: ssh-rsa-cert-v01@openssh.com host certificate
? I tried quite a bunch of workarounds found here (even not preferred once like reenabling legacy stuff), but still having issues with native opensshd on Alma Linux.
@doabu Take a look at allowing ssh-rsa-cert-v01@openssh.com
for OpenSSH only from the crypto policy from rhel 9 docs here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#excluding-an-application-from-following-the-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies
For Alma 9:
PubkeyAcceptedAlgorithms
and HostKeyAlgorithms
for both server and client need an override. You can copy the current crypto policy from /etc/ssh/sshd_config.d/50-redhat.conf
and append ssh-rsa-cert-v01@openssh.com
to PubkeyAcceptedAlgorithms
and HostKeyAlgorithms
in /etc/ssh/sshd_config.d/49-crypto-policy-override.conf
For CentOS 7:
I have ensured that all "weak" Algos are disabled in both server /etc/ssh/sshd_config
and client /etc/ssh/ssh_config
config.
You can get a full list of weak algos from many places. Rule of thumb seems to be to disable anything sha1
. However, make sure to test this if you have any legacy systems with older OS that only accept weak algos and make appropriate exceptions.
Hope this helps. I can write up a longer post with extract settings that work for me.
I've got a similar problem. Just installed a completely new teleport cluster on a newly fresh installed Ubuntu VM (24.04) into microk8s. Then enrolled an SSH Host there via token create and teleport join. After that, tried to login to that Host via Teleport Web UI and got in the SSH Logs of the Host
userauth_pubkey: signature algorithm ssh-rsa-cert-v01@openssh.com not in PubkeyAcceptedAlgorithms [preauth]
which indicates that teleport still uses the old signature algorithm. When doing a tsh login
from a different machine, I could verify with ssh-add -L
that the certificates are indeed signed with ssh-rsa-cert-v01. Is there a possibility to configure that behaviour somehow? I haven't found it yet and I don't want to allow the old signature algorithm in our systems.
Expected behavior:
As mentioned in #10918
ssh-rsa-cert-v01
is no longer on the approval list ofPubKeyAcceptedAlgorithms
for many new OSes like Alma 9.This issue of teleport generating
ssh-rsa-cert-v01
public keys still present withtctl auth sign --format=openssh --host=myhost --out=myhost
when manually enrolling agentless hosts.This specifically causes issues when connecting from
centos7 -> alma9
machines directly as the ssh command fails.We are able to ssh from alma9 machines to centos7 machines.
Current behavior:
CASignatureAlgorithms=+ssh-rsa
is not a valid option on centos 7 with ssh version:OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
We are not able to ssh from centos7 machines to alma9 machines.
Bug details:
Teleport version
Teleport v15.2.0 git:v15.2.0-0-gbb8bd77 go1.21.8
Recreation steps
tctl auth sign
HostKey, HostCertificate, TrustedUserCAKeys
to/etc/ssh/sshd_config
as shown in the docs on both hosts and restartsshd
sshd
and the issue is fixedDebug logs
/var/log/messages