Get the most out of your Centmin Mod LEMP stack
Become a Member

CentOS 7.x CentOS 7.4 sshd deprecated RSAAuthentication

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Oct 25, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:49 AM
    Nginx 1.13.x
    MariaDB 5.5
    CentOS 7.4 made some security related updates to sshd to tighten security for sshd. One of them is deprecating RSAAuthentication support.

    On a CentOS 7.3 or lower upgraded server to CentOS 7.4, the sshd log may have these warnings regarding deprecated options
    Code (Text):
    journalctl --unit sshd --no-pager | grep 'Deprecated' | tail -5 | sed -e "s|$(hostname)|hostname|g"
    
    Oct 24 19:09:37 hostname sshd[2044]: rexec line 54: Deprecated option RSAAuthentication
    Oct 24 19:37:25 hostname sshd[2171]: rexec line 54: Deprecated option RSAAuthentication
    Oct 24 19:37:26 hostname sshd[2171]: reprocess config line 54: Deprecated option RSAAuthentication
    Oct 24 19:42:24 hostname sshd[2220]: rexec line 54: Deprecated option RSAAuthentication
    Oct 24 19:42:28 hostname sshd[2220]: reprocess config line 54: Deprecated option RSAAuthentication
    

    easy fix is removing the option from /etc/ssh/sshd_config
    Code (Text):
    cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config-backup
    sed -i '/RSAAuthentication/d' /etc/ssh/sshd_config
    sdiff -s /etc/ssh/sshd_config /etc/ssh/sshd_config-backup
    systemctl restart sshd
    journalctl --unit sshd --no-pager | grep 'Deprecated' | tail -5 | sed -e "s|$(hostname)|hostname|g"; date
    

    the commands above first backup sshd_config, use sed to remove lines and then use sdiff to do a side by side compare of both backup and live sshd_config and then restart sshd service. Then finally check sshd log again and print out current server date at end

    Example of sdiff
    Code (Text):
    sdiff -s /etc/ssh/sshd_config /etc/ssh/sshd_config-backup
                                                                  > RSAAuthentication yes
                                                                  > #RhostsRSAAuthentication no
                                                                  > # RhostsRSAAuthentication and HostbasedAuthentication
    

    the backup version is on right column and live is on left column showing the removed entries as blank
     
    • Informative Informative x 1
  2. RoldanLT

    RoldanLT Well-Known Member

    3,931
    960
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,311
    Local Time:
    6:49 AM
    1.11
    10.2
    What are the downside of removing it?
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,569
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,274
    Local Time:
    8:49 AM
    Nginx 1.13.x
    MariaDB 5.5
    nothing it isn't used by centmin mod at least