Page MenuHomeVyOS Platform
Create Task
Maniphest T5878

SSH certificate issue with 1.4rc1
Open, HighPublicBUG
Actions

Description

Hi All

I've just started to upgrade by couple of routers running 1.3.4 and have found an issue with 1.4rc1.

For security reasons for one of my instances I've disabled SSH password authentication and only user certificates. However, in 1.4rc1, despite the config accepting the certificate, it seems the algorithm isn't enabled with sshd.

Here are the lines of my config:

set system login user chris authentication public-keys chris@router key 'blah blah'
set system login user chris authentication public-keys chris@router type 'ssh-rsa'
set service ssh disable-password-authentication

but I get the following error in the log when I try to connect:

sshd[7380]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

It seems there's been a change in sshd which disabled some old algorithms by default, so luckily the error message is self explanatory and if I add the following line to /run/ssh/sshd_conf, all works again (I also re-enabled password authentication before the upgrade just in case so I could log in):

PubkeyAcceptedAlgorithms +ssh-rsa

..so as part of 1.4 it might be a good idea to consider adding the above in the config upgrades, or add the option in the CLI (I couldn't seem to find it) and add if found in the existing config.

Thanks

Chris..

Details

Difficulty level
Unknown (require assessment)
Version
1.4rc1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

cmonck created this task.Dec 30 2023, 12:40 PM
pasik added a subscriber: pasik.Dec 30 2023, 12:41 PM
Viacheslav triaged this task as High priority.Jan 20 2024, 2:05 PM
josephillips85 added a subscriber: josephillips85.EditedJan 27 2024, 11:37 PM

well i was checking this issue and i guess we had to concider

1.the problem here is that the users with this problem are using a old key signed with ssh-rsa-1 that is not concidered safe anymore we want that users with weak keys can login?
2.In case we want to support deprecated algorithms how we going to doit .. silently or setting on the ssh thing like "set service ssh support-unsecure-ciphers" to make aware the users that is not safe anymore?

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta.Fri, Apr 12, 2:47 PM