| fungi | clarkb: openssh 8.8 was released today, and drops traditional rsa+sha1 signatures, so this may be incentive for gerrit/mina to implement rfc 8332 support | 15:39 |
|---|---|---|
| fungi | workaround in 8.8 will be to reenable (ideally per-host) with HostkeyAlgorithms +ssh-rsa and PubkeyAcceptedAlgorithms +ssh-rsa | 15:40 |
| Clark[m] | fungi: if they drop sha1 and default to sha256 then Gerrit should work. It is only an issue when the default fallback remains sha1 | 19:05 |
| Clark[m] | This is what fedora got wrong in their deprecation. I hope openssh proper gets it right | 19:05 |
| fungi | ahh, maybe. the release notes seemed to imply that rfc 8332 support was needed for that, but maybe not. i guess we'll find out | 19:34 |
| Clark[m] | fungi: mina supports sha2 with rsa. What it is missing is the key exchange extension to negotiate sha2 instead of sha1. If the client assumes sha2 it should work | 20:56 |
| fungi | hopefully that's what it will do, but that's what i'm not sure about (will it even try rsa if no hash negotiation support is there?) | 21:20 |
| Clark[m] | In the old system the way it worked was you do rsa+sha1 as default fallback if nothing else can be negotiated. One of the RFCs explicitly states this default fallback should be changed when sha1 is removed | 21:31 |
| Clark[m] | Whether or not the software gets updated to do that is definitely an issue as on fedora | 21:31 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!