Crypto-policies Option "min rsa size" not working in AlmaLinux 8

[5u5ann9]

Hello,

regadless of the Crypto-policy set, it is possible to login with a rsa 1024 key.

I think this is possibly due to the OpenSSH version installed in Almalinux 8.
The "min rsa size" in the Crypto-Policies set the value for the option "RequiredRSASize" in OpenSSH configuration, but this option was just implemented in OpenSSH version 9.0.
Fedora 37 has implementet the patch openssh-server-8.8p1-7.fc37 which fixed the issue.

Steps to reproduce:

• generate an rsa 1024 key and copy this to the server

ssh-keygen -t rsa -b 1024 -f ~/.ssh/cp_rsa1024
ssh-copy-id -i ~/.ssh/crypt_1024rsa.pub root@almalinux8

• set crypto-policy to something bigger then LEGACY

update-crypto-policies --set Default
reboot

• login with the 1024key

ssh -i ~/.ssh/crypt_1024rsa root@root@almalinux8 -v

expected behavior:

debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit,
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,
debug1: Next authentication method: password
root@root@almalinux8 password

actual behavior:

debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit,
debug1: Server accepts key: .ssh/crypt_1024rsa RSA SHA256:hkpFBRW/y76PZlG903lf1POqZ90DQfFoRfpqFqD/BwY explicit,
debug1: Authentication succeeded (publickey).
Authenticated to almalinux8 ([**.**.**.**]:22).