RE: Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

As I understand it, Pageant only accepts PuTTY's native format for private keys. There is a method in PuTTYgen to import an OpenSSH private key and export it in PuTTY format. Just select "Import key" from the Conversions menu, then save the imported key as though you just generated it. You should not need to save the public key as you already have the one generated by OpenSSH.

Mike McManus
Principal – Technology Security
GTO Security Governance Team - Unix
P: He/Him/His

AT&T Services, Inc.
20309 North Creek Pkwy, Bothell, WA 98011
michael.mcmanus@xxxxxxx

-----Original Message-----
From: openssh-unix-dev <openssh-unix-dev-bounces+mm1072=att.com@xxxxxxxxxxx> On Behalf Of Jochen Bern
Sent: Monday, June 30, 2025 6:00 AM
To: Brian Candler <b.candler@xxxxxxxxx>
Cc: OpenSSH <openssh-unix-dev@xxxxxxxxxxx>
Subject: Re: Config to have "ssh too-old-host" error out (with chosen message, and sans actual connection attempt)?

On 30.06.25 14:34, Brian Candler wrote:
> On 30/06/2025 13:14, Jochen Bern wrote:
>> What I've seen getting *specifically* refused is my local ssh-agent
>> signing with the older (and shorter, 4kb) RSA keypair, but that
>> doesn't seem to explain *all* the now-failing connections, either
> 
> That's a 4096-bit RSA key pair? Can you show the error message?
> 
> If it's not fixed by
> 
>    PubkeyAcceptedAlgorithms +ssh-rsa
>    HostKeyAlgorithms +ssh-rsa
> 
> then I don't know what the issue might be.

... it seems that I have to take that statement back, sorry. There was 
(still is) a combo of error messages

> Authenticating with public key "..." from agent
> Pageant failed to provide a signature

when I run *puTTY* against the OpenSSH ssh-agent loaded with (only) the 
old RSA key, but temporarily changing a still-working target host to 
only accept that keypair and then logging in with the *same* ssh-agent 
and "ssh" works fine ...

(And yes, puTTY can use the *newer* keypair straight out of OpenSSH's 
agent ... weird ... the privkey's file format should be fully irrelevant 
at that point, shouldn't it?)

> $ file .ssh/id_binect_*rsa
> .ssh/id_binect_newrsa: OpenSSH private key
> .ssh/id_binect_rsa:    PEM RSA private key

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux