Fedora 33 breaks ssh with gitlab
November 23, 2020•252 words
Fedora 33 breaks ssh with gitlab
tldr; add PubkeyAcceptedKeyTypes +ssh-rsa
to your gitlab entry on ~/.ssh/config
.
Fedora introduced new crypto policies with their latest version. These new policies will add better security to your environment. Hoever, this changes can break your ssh access to certain servers, which happened to me with gitlab.
$ git pull
git@gitlab.com: Permission denied (publickey,keyboard-interactive).
fatal: Could not read from remote repository.
You can update the remote server to the latest version, which hopefully support newer algorithms. The list of algorithms supported in Fedora 33 is shorter than the previous versions. You can verify that here: /etc/crypto-policies/back-ends/openssh.config
. But usually, that's something you can't do with third party services like github or gitlab.
The easy solution
If you don't have control over the server, then you can simply lower the security a little so you can continue working normally.
~/.ssh/config
gitlab.com
PubkeyAcceptedKeyTypes +ssh-rsa
In 50 years when all the new policies are adopted globally, you can regenerate your keys and remove that line.
The better solution
Create new keys. Make sure you use the ed25519
algorithm (or one supported in /etc/crypto-policies/back-ends/openssh.config
). This way you will have a secure and future proof system... until the next policy upgrade, at least. Here is how:
ssh-keygen -t ed25519 -a 64
Then add your public key to the authorized_keys
file in the server as you would normally do.
@see
- Dev.to article
- The twitt that made me aware of the issue.