This only affect RSA certificates, not ECDSA or ED25519 certs
Even if your CA is an RSA key, you can sign ECDSA or ED25519 public keys so you get ECDSA/ED25519 certificates which allow you to work around the issue without changing anything server-side
(and without deploying a new CA)
Exemple of working cert (7.8 client, <7.8 server):
$ ssh-keygen -Lf ~/.ssh/id_ed25519-cert.pub
~/.ssh/id_ed25519-cert.pub:
Type: <email address hidden> user certificate
Public key: ED25519-CERT SHA256:<...>
Signing CA: RSA SHA256:<...>
Key ID: "..."
Hi all,
This only affect RSA certificates, not ECDSA or ED25519 certs
Even if your CA is an RSA key, you can sign ECDSA or ED25519 public keys so you get ECDSA/ED25519 certificates which allow you to work around the issue without changing anything server-side
(and without deploying a new CA)
Exemple of working cert (7.8 client, <7.8 server): id_ed25519- cert.pub id_ed25519- cert.pub:
$ ssh-keygen -Lf ~/.ssh/
~/.ssh/
Type: <email address hidden> user certificate
Public key: ED25519-CERT SHA256:<...>
Signing CA: RSA SHA256:<...>
Key ID: "..."