less than 1 minute read

Connecting to Unifi equipment (Switch 8/AP AC Pro) from Fedora37 fails out of the box with a very useful error Bad server host key: Invalid key length. This is because the dropbear used on these devices is woefully out of date, and still requires the use of ssh-rsa (with SHA1), which has been deprecated by OpenSSH in 2021,

To allow you to connect from your Fedora 37 install, you can use the update-crypto-policies command. This command is used to configure the policy used by all kinds of cryptographic backends on your system (such as TLS libraries, …)

The policies available on your system can be found at /usr/share/crypto-policies. The default is aptly named DEFAULT, but to be able to connect to a Unifi device, you’ll need to switch back to LEGACY to be able to connect.

Thank you Ubiquity for not updating your base image, even though your customers have been asking for it for a long time - [1] [2] [3] [4] [5] [6] …)

$ sudo update-crypto-policies --set LEGACY

Don’t forget to revert back to DEFAULT after you’re done with your work.

$ sudo update-crypto-policies --set DEFAULT