#6798 ED25519 SSH CA keys in dist-git are not recognized by RHEL6 machines con
Closed: Fixed 6 years ago Opened 6 years ago by jjelen.

Recently, the RSA host key of "pkgs.fedoraproject.org" was signed using ssh-ed25519 key (can't see any announcement about that), which is not recognized by old RHEL6 machines, which makes the dist-git inaccessible from this system (without a workaround -o HostKeyAlgorithms=ssh-rsa).

Per discussion in OpenSSH upstream, there is no simple solution how to make it working in old RHEL6 nor how to fix that in upstream/RHEL7. The easiest way would be not to use CA based on the ED25519 keys yet if we aim for compatibility with RHEL6 (which I believe we do).

The server can offer different keys so I would suggest to create

  • rsa keys signed by rsa certificate authority for legacy deployments
  • ed25519 key signed by ed25519 certificate authority for current

This will make it work for old systems and the new ones will be using future-proof algorithsm (for the price of maintaining two CA keys and host keys).

The related bug report, that I am going to close:
https://bugzilla.redhat.com/show_bug.cgi?id=1450609


Metadata Update from @ausil:
- Issue assigned to puiterwijk

6 years ago

Any update/progress on this after two weeks?

This should now be fixed by the certs being removed.
I will recreate the cert with an RSA key later today, but it should now work.

Metadata Update from @puiterwijk:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Verified from my RHEL6 machine and it works fine now. Thank you.

Login to comment on this ticket.

Metadata