OpenSSH generator needs to properly order HostKeyAlgorithms
Today I discovered I couldn't git pull
from gitlab.gnome.org due to a host key mismatch. I have an ECDSA key for gitlab.gnome.org in my ~/.ssh/known_hosts
, but the server was using RSA. Looked like either an unexpected server misconfiguration, or a MITM attack. Wasn't expecting it to turn out to be a Fedora bug.
This user discovered that it is caused by the latest crypto-policies update, which adds the OpenSSH generator. I think it's caused by b23b7e42. The problem is order matters here: ECDSA needs to be listed before RSA, but the generated config has it backwards. Should check the order in upstream's config and ensure Fedora's matches.
Edited by Michael Catanzaro