Bad server host key: Invalid key length

Bad server host key: Invalid key length

[Jason Merrill]

[-- Attachment #1: Type: text/plain, Size: 310 bytes --]

I just upgraded my laptop to Fedora 39 CSB, and now ssh to sourceware is
rejected with the above error message thanks to the Fedora crypto-policies
openssh.config.  I can work around this easily enough by setting
RequiredRSASize to 1024 in my .ssh/config, but surely I'm not the first to
run into this?

Jason

Re: Bad server host key: Invalid key length

[Frank Ch. Eigler]

> I just upgraded my laptop to Fedora 39 CSB, and now ssh to sourceware is
> rejected with the above error message thanks to the Fedora crypto-policies
> openssh.config.  I can work around this easily enough by setting
> RequiredRSASize to 1024 in my .ssh/config, but surely I'm not the first to
> run into this?

You may be the second.  Nuke all the sourceware references in your .ssh/known_hosts and try again.

- FChE

Re: Bad server host key: Invalid key length

[Mark Wielaard]

Hi,

On Sun, Feb 04, 2024 at 09:20:33PM +0100, Frank Ch. Eigler via Overseers wrote:
> 
> > I just upgraded my laptop to Fedora 39 CSB, and now ssh to sourceware is
> > rejected with the above error message thanks to the Fedora crypto-policies
> > openssh.config.  I can work around this easily enough by setting
> > RequiredRSASize to 1024 in my .ssh/config, but surely I'm not the first to
> > run into this?
> 
> You may be the second.  Nuke all the sourceware references in your .ssh/known_hosts and try again.

Yeah, this is a misleading ssh client warning/error:
https://inbox.sourceware.org/20230308105633.GI22818@gnu.wildebeest.org/

= openssh update produces misleading invalid key length warning

Connecting to sourceware through ssh with a newer openssh or crypto
policy might produce a misleading warning about the key length being
too short:

  Bad server host key: Invalid key length

Please don't try to replace your ssh key, there is nothing wrong with
it. The issue is that you might have an old server key in your
~/.ssh/known_hosts file. Simply remove it and reconnect to get the new
server key:

ssh-keygen -R sourceware.org
ssh-keygen -R cygwin.com
ssh-keygen -R gcc.gnu.org

See also https://bugzilla.redhat.com/show_bug.cgi?id=2164016

Re: Bad server host key: Invalid key length

[Jason Merrill]

[-- Attachment #1: Type: text/plain, Size: 1528 bytes --]

On Sun, Feb 4, 2024 at 3:31 PM Mark Wielaard <mark@klomp.org> wrote:

> Hi,
>
> On Sun, Feb 04, 2024 at 09:20:33PM +0100, Frank Ch. Eigler via Overseers
> wrote:
> >
> > > I just upgraded my laptop to Fedora 39 CSB, and now ssh to sourceware
> is
> > > rejected with the above error message thanks to the Fedora
> crypto-policies
> > > openssh.config.  I can work around this easily enough by setting
> > > RequiredRSASize to 1024 in my .ssh/config, but surely I'm not the
> first to
> > > run into this?
> >
> > You may be the second.  Nuke all the sourceware references in your
> .ssh/known_hosts and try again.
>
> Yeah, this is a misleading ssh client warning/error:
> https://inbox.sourceware.org/20230308105633.GI22818@gnu.wildebeest.org/
>
> = openssh update produces misleading invalid key length warning
>
> Connecting to sourceware through ssh with a newer openssh or crypto
> policy might produce a misleading warning about the key length being
> too short:
>
>   Bad server host key: Invalid key length
>
> Please don't try to replace your ssh key, there is nothing wrong with
> it. The issue is that you might have an old server key in your
> ~/.ssh/known_hosts file. Simply remove it and reconnect to get the new
> server key:
>
> ssh-keygen -R sourceware.org
> ssh-keygen -R cygwin.com
> ssh-keygen -R gcc.gnu.org
>
> See also https://bugzilla.redhat.com/show_bug.cgi?id=2164016


Thanks for pointing me in the right direction, what a terrible diagnostic.

Jason