On 26.02.2017 05:45 AM, Robert Dinse wrote:
On Redhat derived systems there have been many recent updates to openssh,
many of them disabling known to be insecure protocols.
Yes, but the *server* advertised its RSA key (only, which also seems weird, as it should have been also advertising DSA if not disabled and - if DSA were disabled, most likely also ECDSA and ED keys), while the client/libssh only advertised supporting ED-type keys. That's what makes this so wicked.
Mihai