1. Forum
  2. DOVE-Net
  3. Synchronet Sysops

  • Fedora issues

    From nelgin@VERT/EOTLBBS to All on Sun Oct 20 04:12:46 2024
    Hi all,

    Just a heads up that if you have users that are trying to use recent version of Fedora, at least 38 and also confirmed on 40, they will not be able to connect using ssh and the default settings.

    There's an /etc/ssh/ssh_config.d/50-redhat.conf file which includes some policy file that changes a number of defaults.

    This results in "Invalid key length" when someone tries to ssh to your board.

    I filed a bug report and assigned it to Deuce since he did all the ssh stuff but he unassigned it so I guess we're fucked.

    One work around is to use

    ssh -oRequiredRSASize=1024 user@host

    But...since they cannot connect, you can't tell you user that.

    The fix would be for synchronet to generate 2048 byte host keys but the looks of things. Good luck.

    ---
    þ Synchronet þ End Of The Line BBS - endofthelinebbs.com
  • From Gamgee@VERT/PALANTIR to nelgin on Sun Oct 20 07:54:00 2024
    nelgin wrote to All <=-

    Just a heads up that if you have users that are trying to use recent version of Fedora, at least 38 and also confirmed on 40, they will not
    be able to connect using ssh and the default settings.

    There's an /etc/ssh/ssh_config.d/50-redhat.conf file which includes
    some policy file that changes a number of defaults.

    This results in "Invalid key length" when someone tries to ssh to your board.

    I filed a bug report and assigned it to Deuce since he did all the ssh stuff but he unassigned it so I guess we're fucked.

    Seems like a Fedora issue to me. Maybe they can fix/change their
    "policy file".

    One work around is to use

    ssh -oRequiredRSASize=1024 user@host

    But...since they cannot connect, you can't tell you user that.

    They can connect via telnet, or web.

    The fix would be for synchronet to generate 2048 byte host keys but the looks of things. Good luck.

    Not sure, but would that break the SSH function for everything else?



    ... Internal Error: The system has been taken over by sheep at line 19960
    --- MultiMail/Linux v0.52
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
  • From Ltning@VERT/ANDUIN to Gamgee on Sun Oct 20 14:08:00 2024
    RE: Fedora issues
    BY: Gamgee to nelgin on Sun Oct 20 2024 07:54:00

    nelgin wrote to All <=-
    I filed a bug report and assigned it to Deuce since he did all the ssh stuff but he unassigned it so I guess we're fucked.

    Seems like a Fedora issue to me. Maybe they can fix/change their
    "policy file".

    Not really. A 1024 bit host key is a bit on the weak side; it's not unreasonable for them to choose a stricter default. This is about which key lengths the client expects to see the server present, which translates to how likely it is that the server i

    But...since they cannot connect, you can't tell you user that.

    They can connect via telnet, or web.

    But you can't tell them that either :)

    The fix would be for synchronet to generate 2048 byte host keys but the looks of things. Good luck.

    Not sure, but would that break the SSH function for everything else?

    No it won't, unless you're using SSH for DOS which doesn't support any of the other crypto in any OpenSSH server since 2004 anyway. It would be sane and recommended to up the default key length for host keys to 2048 bits, and perhaps create an ed25519

    - Ltning
    - bbs.anduin.net

    ---
    þ Synchronet þ bbs.anduin.net
  • From Gamgee@VERT/PALANTIR to Ltning on Sun Oct 20 14:37:00 2024
    Ltning wrote to Gamgee <=-

    RE: Fedora issues
    BY: Gamgee to nelgin on Sun Oct 20 2024 07:54:00

    nelgin wrote to All <=-
    I filed a bug report and assigned it to Deuce since he did all the ssh stuff but he unassigned it so I guess we're fucked.

    Seems like a Fedora issue to me. Maybe they can fix/change their
    "policy file".

    Not really. A 1024 bit host key is a bit on the weak side; it's not unreasonable for them to choose a stricter default. This is about which key lengths the client expects to see the server present, which
    translates to how likely it is that the server i

    Okay, didn't know they were that long by default. Still seems a little strange that any other distro (not tested/proven, admittedly) doesn't
    have problems connecting.

    But...since they cannot connect, you can't tell you user that.

    They can connect via telnet, or web.

    But you can't tell them that either :)

    I think anyone attempting to connect to a BBS with SSH would also know
    that it's likely connect-able via telnet or web.

    The fix would be for synchronet to generate 2048 byte host keys but the looks of things. Good luck.

    Not sure, but would that break the SSH function for everything else?

    No it won't, unless you're using SSH for DOS which doesn't support any
    of the other crypto in any OpenSSH server since 2004 anyway. It would
    be sane and recommended to up the default key length for host keys to
    2048 bits, and perhaps create an ed25519

    Okay, more info that I wasn't aware of. Thanks.



    ... Gone crazy, be back later, please leave message.
    --- MultiMail/Linux v0.52
    þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL