Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 694984 - net-misc/openssh-8.0_p1-r2 w/ dev-libs/openssl-1.1.1d breaks login for TermBot (Android)
Summary: net-misc/openssh-8.0_p1-r2 w/ dev-libs/openssl-1.1.1d breaks login for TermBo...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-19 20:49 UTC by Michał Górny
Modified: 2019-09-19 21:22 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-09-19 20:49:54 UTC
After upgrading dev-libs/openssl to 1.1.1d, I can no longer connect to my systems from Android TermBot client.  It gives the following error:

===
Key exchange was not finished, connection is closed.
The server hostkey was not accepted by the verifier callback.
Unknown key type rsa-sha2-512
===

Downgrading openssl to 1.1.1c-r1 resolves the issue.  I'm not sure if it's bug or feature.  Reporting on both ends in case.  I suppose it's not nice when you're outta home and discover you can't connect to your computer.
Comment 1 Kerin Millar 2019-09-19 21:22:48 UTC
Firstly, take a look at the following.

  sshd -T | awk '$1 == "hostkeyalgorithms"'

Secondly, prevent sshd from advertising any algorithms that your client is complaining about. Below is an example of the syntax. Note that the algorithms are being negated here.

  HostKeyAlgorithms -rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512

If this helps, then it falls upon the maintainer of your client to fix its behaviour because it should simply ignore any advertised algorithms that it does not support, provided that it has at least one in common with the server.