Merge 1c0039d into a6dfba0

docs/workarounds/SHA1-RSA-ssh-keys.md

@@ -0,0 +1,63 @@
+# SHA1 RSA SSH Keys
+
+## Background
+With the release of [OpenSSH 8.2](https://www.openssh.com/txt/release-8.2], SHA1
+RSA keys are disabled by default.
+
+Go currently generates [SHA1 keys](https://github.com/golang/go/issues/37278)
+for CA signed certificates and host keys.
+
+Keys generated by keymaster will be rejected by hosts running OpenSSH 8.2 or
+newer.
+
+   ```
+   userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]
+   ```
+
+## Workaround
+Rebuild the keymasterd binary with [SHA-2](https://go-review.googlesource.com/c/crypto/+/220037/)
+support.
+
+## Howto
+
+1. First get the source
+
+   ```
+   $ mkdir -p ~/go/src/github.com/Cloud-Foundations
+   ```
+
+2. Pull source
+
+   ```
+   $ cd ~/go/src/github.com/Cloud-Foundations
+   $ git clone https://github.com/Cloud-Foundations/keymaster.git
+   ```
+
+3. Get dependencies
+
+   ```
+   $ cd keymaster
+   $ make get-deps
+   ```
+
+4. Update SSH [Crypto](https://go-review.googlesource.com/c/crypto/+/220037/)
+   libraries
+
+   ```
+   $ cd ~/go/src/golang.org/x/crypto/
+   $ git pull https://go.googlesource.com/crypto refs/changes/37/220037/3
+   ```
+
+5. Rebuild keymasterd
+
+   ```
+   cd ~/go/src/github.com/Cloud-Foundations/keymaster
+   make
+   ```
+
+## Links
+* [Keymaster Github Issue](https://github.com/Cloud-Foundations/keymaster/issues/75)
+* [Golang Issue](https://github.com/golang/go/issues/37278)
+* [Golang ChangeList](https://go-review.googlesource.com/c/crypto/+/220037/)
+* [OpenSSH 8.2 Release Notes](https://www.openssh.com/txt/release-8.2)
+* [Okta Workaround](https://support.okta.com/help/s/question/0D51Y00009BJVuZSAX/kali-linux-support-isnt-the-sshrsa-signature-algorithm-a-bad-idea?language=en_US)