When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the following output: ssh-ed25519 ssh-ed25519-cert-v01 at openssh.com ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa-cert-v01 at openssh.com ssh-dss-cert-v01 at openssh.com ecdsa-sha2-nistp256-cert-v01 at openssh.com ecdsa-sha2-nistp384-cert-v01 at openssh.com ecdsa-sha2-nistp521-cert-v01 at openssh.com The thing is, one can invoke both client and server with -o HostKeyAlgorithms=rsa-sha2-256, or -o HostKeyAlgorithms=rsa-sha2-512, and everything's OK. Why is it that rsa-sha2-* are not displayed in the output above? In fact, no option to -Q elicits them, and they are not mentioned in the OpenSSH client and server man pages. Is this intentional?
Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07:> When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the > following output: > > ssh-ed25519 > ssh-ed25519-cert-v01 at openssh.com > ssh-rsa > ssh-dss > ecdsa-sha2-nistp256 > ecdsa-sha2-nistp384 > ecdsa-sha2-nistp521 > ssh-rsa-cert-v01 at openssh.com > ssh-dss-cert-v01 at openssh.com > ecdsa-sha2-nistp256-cert-v01 at openssh.com > ecdsa-sha2-nistp384-cert-v01 at openssh.com > ecdsa-sha2-nistp521-cert-v01 at openssh.com > > The thing is, one can invoke both client and server with -o > HostKeyAlgorithms=rsa-sha2-256, or -o HostKeyAlgorithms=rsa-sha2-512, and > everything's OK. > > Why is it that rsa-sha2-* are not displayed in the output above? In fact, > no option to -Q elicits them, and they are not mentioned in the OpenSSH > client and server man pages. > > Is this intentional?You should query for HostKeyAlgorithms ssh -Q HostKeyAlgorithms That list should contain rsa-sha2-256 and rsa-sha2-512. -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);} -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200302/82378e2d/attachment.asc>
$ ssh -Q HostKeyAlgorithms Unsupported query "HostKeyAlgorithms" $ ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019 On Mon, Mar 2, 2020 at 2:24 PM Christian Hesse <list at eworm.de> wrote:> Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07: > > When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the > > following output: > > > > ssh-ed25519 > > ssh-ed25519-cert-v01 at openssh.com > > ssh-rsa > > ssh-dss > > ecdsa-sha2-nistp256 > > ecdsa-sha2-nistp384 > > ecdsa-sha2-nistp521 > > ssh-rsa-cert-v01 at openssh.com > > ssh-dss-cert-v01 at openssh.com > > ecdsa-sha2-nistp256-cert-v01 at openssh.com > > ecdsa-sha2-nistp384-cert-v01 at openssh.com > > ecdsa-sha2-nistp521-cert-v01 at openssh.com > > > > The thing is, one can invoke both client and server with -o > > HostKeyAlgorithms=rsa-sha2-256, or -o HostKeyAlgorithms=rsa-sha2-512, and > > everything's OK. > > > > Why is it that rsa-sha2-* are not displayed in the output above? In fact, > > no option to -Q elicits them, and they are not mentioned in the OpenSSH > > client and server man pages. > > > > Is this intentional? > > You should query for HostKeyAlgorithms > > ssh -Q HostKeyAlgorithms > > That list should contain rsa-sha2-256 and rsa-sha2-512. > -- > main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" > "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) > putchar(b-1/(/* Chris cc -ox -xc - && ./x > */b/42*2-3)*42);} >
On 2020-03-02, Luveh Keraph <1.41421 at gmail.com> wrote:> Why is it that rsa-sha2-* are not displayed in the output above? In fact, > no option to -Q elicits them, and they are not mentioned in the OpenSSH > client and server man pages.This has been rectified in the three years since 7.4. "ssh -Q key-sig" produces a list of key signature algorithms; rsa-sha2-* is mentioned in the man pages; and 8.2 also added the possibility to directly query the supported schemes of such configuration options, e.g. "ssh -Q HostKeyAlgorithms". -- Christian "naddy" Weisgerber naddy at mips.inka.de