allow newer key types on old and new infra (!3) · Merge requests · mfmt / Red

jeremyb requested to merge electricat/red:serveraccess_key_types into master Jan 14, 2026

PubkeyAcceptedKeyTypes doesn't seem to be set on the old infra machine I looked at. I didn't investigate new infra too closely.

I don't know much php and haven't tested the code in an actual installation. I did some mocking, see electricat/red@c325b594.

disallow hardware (FIDO2) keys on old infrastructure

based on checking some things on an old infra server, comparing to my local Debian 13.

compared ssh -Q key vs. my local Debian 13. The old server supports DSS too but Debian 13 doesn't and I figure we don't want to either. Also, taking a hint from mayfirst gitlab: excluding ECDSA too unless FIDO2. When trying to add ECDSA gitlab says:

Key type is forbidden. Must be RSA, ED25519, ECDSA_SK, or ED25519_SK

Edited Jan 14, 2026 by jeremyb

allow newer key types on old and new infra

Merge request reports