bugzilla-daemon at mindrot.org
2013-May-28 00:33 UTC
[Bug 2109] New: Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109
Bug ID: 2109
Summary: Add support for ssh-rsa-sha256 and ssh-dsa-sha256
public key algorithms
Product: Portable OpenSSH
Version: 6.2p1
Hardware: All
OS: FreeBSD
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: Geoff_Lowe at McAfee.com
Based on guidelines in NIST Special Publication 800-131A, "Transitions:
Recommendation for Transitioning the Use of Cryptographic Algorithms
and Key Lengths" dated January 2011, the US Governement is pushing for
stronger crypto in a number of different areas (encryption, digital
signatures, random number generation, key agreement using
diffie-hellman and MQC, etc.).
The most recent version of OpenSSH is not able to meet the updated
digital signature requirements based on the fact that it only
implements support for the "ssh-dss" and "ssh-rsa" key
formats.
(Actually, I'm not sure if it implements the pgp-sign-rsa or
pgp-sign-dss certificate format or not, but in either case, I don't
believe that materially impacts the problem.) And according to RFC
4253, Section 6.6, both of these key formats are defined to use SHA-1
hash algorithm for signing/verifying. SP 800-131A *requires* the use
of SHA-224, SHA-256, SHA-384, or SHA-512 in the generation of digital
signatures (see Section 9, Hash Functions) starting January 1, 2014.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2013-May-28 01:01 UTC
[Bug 2109] Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org>
---> The most recent version of OpenSSH is not able to meet the updated
> digital signature requirements based on the fact that it only
> implements support for the "ssh-dss" and "ssh-rsa" key
formats
That's not true. We implement ECDSA key formats too that seem well
within the guidelines of 800-131A.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-May-28 01:20 UTC
[Bug 2109] Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109 --- Comment #2 from Geoff Lowe <Geoff_Lowe at McAfee.com> --- Ah, yes, I stand corrected. EC support is indeed there. My bad. This request is, therefore, specific to adding support for non-EC public key formats. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-May-29 18:30 UTC
[Bug 2109] Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109
TJ Saunders <tj at castaglia.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tj at castaglia.org
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Jun-05 14:28 UTC
[Bug 2109] Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dhanukumar1990 at gmail.com
--- Comment #3 from Darren Tucker <dtucker at zip.com.au> ---
*** Bug 2115 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Sep-25 10:11 UTC
[Bug 2109] Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109
venrag78 at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |venrag78 at gmail.com
Version|6.2p1 |5.2p1
--- Comment #4 from venrag78 at gmail.com ---
Hi,
Can we have a date on when this would be resolved? We are lookign for
supporting ssh-rsa-sha256 on server side if the name is confirmed and
also if openssh is releasing before Jan 1st 2014 ?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2013-Sep-25 10:26 UTC
[Bug 2109] Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109 --- Comment #5 from Damien Miller <djm at mindrot.org> --- I don't think any of the OpenSSH developers have plans to implement RSA/SHA2 until a specification exists for it. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Mar-26 14:49 UTC
[Bug 2109] Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109
Simon Deziel <simon at sdeziel.info> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |simon at sdeziel.info
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-May-24 02:20 UTC
[Bug 2109] Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
We've supported RSA-SHA256/512 for a while now.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 04:57 UTC
[Bug 2109] Add support for ssh-rsa-sha256 and ssh-dsa-sha256 public key algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2109
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Maybe Matching Threads
- [Bug 2115] New: Support for DSA p=2048 q=256/224 bit keys
- [Bug 2115] New: Support for DSA p=2048 q=256/224 bit keys
- Support for "ssh-rsa-sha256" and "ssh-dss-sha256" ?
- [Bug 1653] New: Can not rename (move) files across bind mounts
- Support for "ssh-rsa-sha256" and "ssh-dss-sha256" ?