Open anoadragon453 opened 2 years ago
I was going to say "surely we just generate an Ed25519 key", but then I read https://www.chiark.greenend.org.uk/~cjwatson/blog/lp-new-ssh-features.html. It sounds like that would be ok in a Twisted that contains https://github.com/twisted/twisted/pull/1210 ?
It sounds like that would be ok in a Twisted that contains https://github.com/twisted/twisted/pull/1210 ?
This landed in Twisted 21.2.0, whereas our minimum Twisted version is currently:
The curve25519-sha256
signature type is supported in Twisted 20.3.0.
One can use nmap --script ssh2-enum-algos -sV -p 9000 localhost
to determine what algorithms are supported on the Twisted conch version of a running Synapse server... though I'll admit I don't know which of these are actually relevant here.
The manhole has a hard-coded private key (https://github.com/matrix-org/synapse/issues/3850) which uses the
ssh-rsa
signature type. This refers to a combination of RSA and SHA-1, and is now quite outdated.In fact it's so outdated, that newer versions of OpenSSL will now refuse to connect:
(
ssh-rsa
was deprecated in OpenSSL v8.2, and disabled in OpenSSL v8.8). We should (at least) use a key with a more up-to-date signature algorithm.A workaround, if needed, is to add the following to your
~/.ssh/config
: