theooze
Contributor
Contributor

SSH CA-signed certificates not working in 7.0 u1

in 6.7.x and 7.0.0 I have the following sshd_config:

Protocol 2
FipsMode yes
IPQoS lowdelay throughput
RekeyLimit 1G, 1H
SyslogFacility auth
LogLevel info
PermitRootLogin yes
PrintMotd yes
PrintLastLog no
TCPKeepAlive yes
X11Forwarding no
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
UsePAM yes
PasswordAuthentication no
Banner /etc/issue
Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server -f LOCAL5 -l INFO
AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys
ClientAliveInterval 200
MaxStartups 10:30:100
HostKey /etc/ssh/ssh_host_rsa_key
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub

 

This works fine, and when I connect via ssh, the ca-signed HostCertificate is used.  In 7.0u1+ it's not.  Was there some change that caused this to stop working ?  the version of openssh being used in 7.0u1+ should support this parameter.  

This is pretty easily repeatable - I can kickstart a system (using a vm for testing) w/ 6.7 or 7.0.0 and it's fine, kickstart the same thing as 7.0u1 or u2 and it stops working.

0 Kudos
0 Replies