Please add some future-proof hostkey algorithm(s)

[Polynomial-C]

This might become a more and more imminent issue in the not too distant future. With recent openssh-8.2p1 release there's now the following release note:

Future deprecation notice
=========================

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the "ssh-rsa" public key signature algorithm that depends
on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

The better alternatives include:

 * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
   algorithms have the advantage of using the same key type as
   "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
   supported since OpenSSH 7.2 and are already used by default if the
   client and server support them.

 * The ssh-ed25519 signature algorithm. It has been supported in
   OpenSSH since release 6.5.

 * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
   have been supported by OpenSSH since release 5.7.

To check whether a server is using the weak ssh-rsa public key
algorithm for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:

    ssh -oHostKeyAlgorithms=-ssh-rsa user@host

If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.

A future release of OpenSSH will enable UpdateHostKeys by default
to allow the client to automatically migrate to better algorithms.
Users may consider enabling this option manually.

[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
    Application to the PGP Web of Trust" Leurent, G and Peyrin, T
    (2020) https://eprint.iacr.org/2020/014.pdf

So I tried to be proactive here and set this on all openssh servers I administer:

HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

But none of these algorithms are known by ConnectBot.
Please make at least one future proof algorithm available in ConnectBot.

[BenBergman]

Adding support for the new U2F/FIDO keys would also be great (ideally both through NFC and USB).

[bentolor]

I've limited all my servers to modern crypto only. Believe it or not, but this inhibits many of the brute force attacs from the internet:

KexAlgorithms curve25519-sha256,[email protected]
Ciphers [email protected]
MACs [email protected]
HostKeyAlgorithms ssh-ed25519

I no longer can connect via connectbot. Log says due to host key algorithm: ´ssh-ed25519`. I'm a little confused because this comment from @kruton seems to say, that ssh-ed25519 should be supported since 2016.

But my server reports, that Connect Bot only offers ssh-rsa:

no matching host key type found. Their offer: ssh-rsa [preauth]

I understand that connectbot is very depending on upstream. ssh-ed25519 and chacha20-poly1305 are from 2014 so I'd assume established support.

Can anyone shed some light, what's missing? Thanks!

[the-furry-hubofeverything]

Adding support for the new U2F/FIDO keys would also be great (ideally both through NFC and USB).

Seconded

[jerith666]

I just updated my server to OpenSSH 8.8, which contains the promised disablement, and I'm now getting the same failure to connect, with Their offer: ssh-rsa [preauth] in the server log.

[ToxicFrog]

Same here:
Unable to negotiate with [connectbot ip] port 43186: no matching host key type found. Their offer: ssh-rsa [preauth]

[kruton]

I think this is probably due to key rotation not being fully supported and no UI for deleting the existing keys. Try removing the entry for the host and recreating it. Or simply adding another host (pointing at the same server) and trying to connect with that.

[normanr]

Note: This has a pending work-around in #1105, it just needs to be merged.

[mhdion]

I think this is probably due to key rotation not being fully supported and no UI for deleting the existing keys. Try removing the entry for the host and recreating it. Or simply adding another host (pointing at the same server) and trying to connect with that.

Agree.
I have to stop Connect Bot, CLEAN ALL DATA.
After adding the host again, it worked using Ed25519.
Android 10 - Connect Bot 1.9.8
openssh-server 1:8.9p1-3 amd64