Fedora 33 breaks ssh with gitlab

tldr; add PubkeyAcceptedKeyTypes +ssh-rsa to your gitlab entry on ~/.ssh/config.

Fedora introduced new crypto policies with their latest version. These new policies will add better security to your environment. Hoever, this changes can break your ssh access to certain servers, which happened to me with gitlab.

$ git pull
git@gitlab.com: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.

You can update the remote server to the latest version, which hopefully support newer algorithms. The list of algorithms supported in Fedora 33 is shorter than the previous versions. You can verify that here: /etc/crypto-policies/back-ends/openssh.config. But usually, that's something you can't do with third party services like github or gitlab.

The easy solution

If you don't have control over the server, then you can simply lower the security a little so you can continue working normally.

~/.ssh/config

gitlab.com
    PubkeyAcceptedKeyTypes +ssh-rsa

In 50 years when all the new policies are adopted globally, you can regenerate your keys and remove that line.

The better solution

Create new keys. Make sure you use the ed25519 algorithm (or one supported in /etc/crypto-policies/back-ends/openssh.config). This way you will have a secure and future proof system... until the next policy upgrade, at least. Here is how:

ssh-keygen -t ed25519 -a 64

Then add your public key to the authorized_keys file in the server as you would normally do.


@see