SFTP failed after open ssh ugrade

Hi,

I updated my SFTP Rocky8 machine last Saturday, and it is now openssh updated.

to:
openssh-8.0p1-24.el8.x86_64
openssh-clients-8.0p1-24.el8.x86_64
openssh-server-8.0p1-24.el8.x86_64
from:
openssh-clients-8.0p1-19.el8_9.2.x86_64
openssh-server-8.0p1-19.el8_9.2.x86_64
openssh-8.0p1-19.el8_9.2.x86_64

Following this, all of my sftp connections began to fail. I saw /var/log/secure.

Prior to the update, it was connecting without issue.

The interesting thing is that I can connect to Winscp without trouble. It appears to solely affect server-to-server connections.

Can anyone make any suggestions on this? Please let me know if further information should be added.

I assume jcraft is the client and Rocky is the server?

In that case, you might need to update the client, if it’s sending an old style ssh-rsa signature, or regenerate the key pair.

ssh-rsa is in the default list of PubKeyAcceptedKeyTypes. Updating openssh has nothing to do with ssh-rsa now being disabled. So it’s either:

  • You have set a crypto policy that forbids ssh-rsa, such as FIPS or FUTURE, or created a modified crypto policy that changes the values
  • You have disabled crypto policies in openssh and modified sshd_config with that option and your own values, thus removing ssh-rsa

You have two choices. Either, generate an accepted key that is not ssh-rsa (e.g. ssh-keygen -t ed25519) or reset your crypto policies back to the default.

1 Like

After generating new key with ssh-keygen -t ed25519, do i need to update ed25519 here(see the snap)?

or in /home/user/.ssh/authorised_key

can you suggest?

First a note: copy-pasted text is easier to obfuscate without photo-edit.


Host keys are not the same as user keys.

The (remote) host has some ssh_host_*_key. On first connect you accept and store corresponding *_key.pub into your (local) ~/.ssh/known_hosts. On future connects this is used to check whether you are again connecting to same (known) remote – a check against man-in-the-middle attack.

You did generate id_ed25519 user key that is in local machine. If you append the id_ed25519.pub into ~/.ssh/authorized_keys of the remote account, then you could authenticate with that to the remote.

I am newbee here, Sorry for snap update, i ll make sure, copy paste next time.

I tried to update my crypto policies and it got worked.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.