Dealing with legacy issues around Red Hat crypto versions? Here's a fix

If you're running a mixture of new and old RHEL versions, you may have problems SSHing from new to old. Luckily, someone has worked out a handy way around it.

The issue is relatively simple: the default security settings in RHEL 9 mean that you can't open an SSH connection to a machine running RHEL 6 or older, which use the deprecated SHA-1 encryption algorithm. There are other, related issues as well: the inability to upgrade old RPM packages that are signed with SHA-1 signatures, or for Firefox to connect to an HTTPS server that uses a very old version of the protocol.

In some ways, this is fair enough. RHEL 6 reached its end of maintenance support in November 2020, and it's now in its "Extended Life phase". This is a known problem, and it has a relatively simple fix:

The problem is that this easy fix seriously downgrades the security of your shiny new RHEL 9 systems.

The result is that an issue with some very old OSes that are now past the end of their official maintenance period could affect brand new installations, if you're not careful about which instructions you follow.

In his bug report, Richard W M Jones says that "The alternative is to use service-specific voodoo." The good news is that he's now documented how to implement this specific voodoo.

There are also issues with the scp command, which now uses SFTP not SSH. We mentioned this when we covered the release of OpenSSH 9 earlier this year - but this came too late for inclusion in RHEL 9, which launched just a month later, and includes OpenSSH 8.7p1.

It's all down to the pesky old SHA-1 encryption algorithm. The Reg has been covering problems with SHA-1 for a long time, starting with the uncovering of weaknesses back in 2005, and problems with Chinese domain registrars still using it in 2016, for which sin Apple blocked its certificates. A SHA-1 collision was found in 2017, when SHA-1 was still used by some 20 per cent of websites.

SHA-1 has been on its way out for a while. By 2020 it was down to about 1 per cent of websites, and Apple dropped support for SHA-1 from macOS 10.15 and iOS 13. Microsoft stopped using SHA-1 signatures for Windows downloads and updates later that year. ®

Search
About Us
Website HardCracked provides softwares, patches, cracks and keygens. If you have software or keygens to share, feel free to submit it to us here. Also you may contact us if you have software that needs to be removed from our website. Thanks for use our service!
IT News
Oct 6
Nuh-uh, Meta, we can do text-to-video AI, too, says Google

Brace yourself for a weird future where everything is imagined by magic sand we taught how to think

Oct 6
AI eye-scanner can tell whether you'll croak it from a heart attack

If and when this hits the mainstream, who's going to trust their retinas to random models?

Oct 6
OpenStack ends requirement for six-monthly upgrades with 'SLURP' plan

As version 'Zed' debuts, project slows down a little

Oct 5
SUSE wheels out first public prototype of its server Linux distro, asks for feedback

Adaptable Linux Platform v0.01 shows that the future of SLE is containerized

Oct 5
Linux 6.1: Rust to hit mainline kernel

New language will be official, probably within a couple of months

Oct 5
IceWM reaches version 3 after a mere 25 years

And it's not the only venerable window manager still in development

Oct 5
VideoLAN to India: If you love FOSS so much, why have you blocked downloads of our tools?

Local activists help pen letter to government requesting - in very stern language - reasons why it's been targeted