tsh config: backwards incompatibility between 12.x client and 11.x server with dropped SHA1 support

[bkrypto]

Hi,

Currently tsh 12.x (12.4.11) generates incorrect ssh client config when connecting to a 11.x (11.3.16) server, using MacOS Ventura (OpenSSH 9.0p1).

This PR removed the line PubkeyAcceptedAlgorithms [email protected] from the generated tsh config output. The result is that, when using this generated config, 12.x+ clients can no longer connect to the 11.x server.

Expected behavior:

tsh config produces correct client config to connect to 11.x servers

Current behavior:

tsh ssh fails unless PubkeyAcceptedAlgorithms [email protected] is manually added to the user's ~/.ssh/config

Bug details:

• Teleport version:
  • server: 11.3.16
  • client: 12.4.11
• Recreation steps
  1. Run Teleport 11.x server infrastructure
  2. Use MacOS Ventura
  3. Install tsh 12.x on a client device
  4. Run tsh config >> ~/.ssh/config
  5. Run tsh ssh [...]
• Debug logs

[zmb3]

This is expected. Clients should always be upgraded last, because servers do not support newer clients.

More info at out component compatibility guide: https://goteleport.com/docs/management/operations/upgrading/#component-compatibility

[bkrypto]

Thank you! I mistakenly thought backwards compatibility was bidirectional, appreciate the clarification.