You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In RHEL 9, SHA-1 usage for signatures is restricted in the DEFAULT system-wide cryptographic policy. Except for HMAC, SHA-1 is no longer allowed in TLS, DTLS, SSH, IKEv2, DNSSEC, and Kerberos protocols. Individual applications not controlled by the RHEL system-wide crypto policies are also moving away from using SHA-1 hashes in RHEL 9.
root@centos-vm-7 11:47:20 ~
$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
ad:15:01:5c:a9:db:69:64:2b:0c:4c:5f:be:f9:e1:44 root@centos-vm-7
The key's randomart image is:
+--[ECDSA 256]---+
| ..oo. |
| . . o. |
| o . +. |
| o o.+.E |
| oS=o* |
| +oB o |
| .o + . |
| o |
| |
+-----------------+
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
今天从服务器 A(CentOS 7.3)配置 SSH 无密码登录服务器 B(CentOS Steam 9),发现执行以下常规操作后无法实现:
后来,更换 ecdsa 算法,问题才解决:
根本原因就在于 SHA-1 已经在 RHEL9 中弃用了!
从 RHEL9 的官网文档《1.0.2. Crypto-policies, RHEL core cryptographic components, and protocols(加密策略、RHEL 核心加密组件和协议)》可以看到 SHA-1 已经在 RHEL9 中弃用了!
在 RHEL 9 中,用于签名的 SHA-1 用法在 DEFAULT 系统范围的加密策略中受到限制。除 HMAC 外,TLS、DTLS、SSH、IKEv2、DNSSEC 和 Kerberos 协议中不再允许使用 SHA-1。不受 RHEL 系统范围的加密策略控制的单个应用程序在 RHEL 9 中也不再使用 SHA-1 hashes。
跨用户免密码登录
从服务器 A(CentOS 7.3)的 root 用户已配置 SSH 无密码登录服务器 B(CentOS Steam 9)的 shenweiyan 用户。
/root/.ssh目录会得到两个文件:参考资料
Beta Was this translation helpful? Give feedback.
All reactions