On Tue, 2 Jun 2020 at 06:12, Christian Weisgerber <naddy at mips.inka.de> wrote> On 2020-06-01, Ethan Rahn <ethan.rahn at gmail.com> wrote: > > > With the upcoming deprecation of ssh-rsa I was trying to see what keys my > > version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not > > actually list the suggested algorithms to transition to ( rsa-sha2-256 and > > rsa-sha2-512 ) even though they are supported. > > "-Q key" are the supported key formats. For the signature algorithms, > you want "-Q sig". This is documented in the man page.In addition, from version 8.2 ssh -Q will also accept ssh_config keywords and emit the formats or algorithms accepted by that keyword, eg. $ ssh -V OpenSSH_8.2p1, OpenSSL 1.1.1g FIPS 21 Apr 2020 $ ssh -Q PubkeyAcceptedKeyTypes [...] ssh-rsa rsa-sha2-256 rsa-sha2-512 [...] -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Thank you both for the clarifications. I notice that openssh 7.8 does not support "ssh -Q sig" either. I think it's great that later versions of openssh will support easier ways of querying possible options to understand what is supported on the compiled code. Cheers, Ethan On Mon, Jun 1, 2020 at 3:49 PM Darren Tucker <dtucker at dtucker.net> wrote:> On Tue, 2 Jun 2020 at 06:12, Christian Weisgerber <naddy at mips.inka.de> > wrote > > On 2020-06-01, Ethan Rahn <ethan.rahn at gmail.com> wrote: > > > > > With the upcoming deprecation of ssh-rsa I was trying to see what keys > my > > > version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" > does not > > > actually list the suggested algorithms to transition to ( rsa-sha2-256 > and > > > rsa-sha2-512 ) even though they are supported. > > > > "-Q key" are the supported key formats. For the signature algorithms, > > you want "-Q sig". This is documented in the man page. > > In addition, from version 8.2 ssh -Q will also accept ssh_config > keywords and emit the formats or algorithms accepted by that keyword, > eg. > > $ ssh -V > OpenSSH_8.2p1, OpenSSL 1.1.1g FIPS 21 Apr 2020 > > $ ssh -Q PubkeyAcceptedKeyTypes > [...] > ssh-rsa > rsa-sha2-256 > rsa-sha2-512 > [...] > > -- > Darren Tucker (dtucker at dtucker.net) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. >
Am Di., 2. Juni 2020 um 00:57 Uhr schrieb Darren Tucker <dtucker at dtucker.net>:> In addition, from version 8.2 ssh -Q will also accept ssh_config > keywords and emit the formats or algorithms accepted by that keyword, > eg.Nice. Shouldn't they also be listed in the output of -Q help? Best Martin
On Tue, 2 Jun 2020 at 17:55, Martin Schr?der <martin at oneiros.de> wrote:> Am Di., 2. Juni 2020 um 00:57 Uhr schrieb Darren Tucker <dtucker at dtucker.net>: > > In addition, from version 8.2 ssh -Q will also accept ssh_config > > keywords and emit the formats or algorithms accepted by that keyword, > > eg. > > Nice. Shouldn't they also be listed in the output of -Q help?I hadn't really thought of that, I just considered it a convenience alias. It is documented in the man page (eg https://man.openbsd.org/ssh.1): """ -Q query_option [...]. Alternatively, any keyword from ssh_config(5) or sshd_config(5) that takes an algorithm list may be used as an alias for the corresponding query_option. """ -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 01/06/2020 23:48, Darren Tucker wrote:> On Tue, 2 Jun 2020 at 06:12, Christian Weisgerber<naddy at mips.inka.de> wrote >> On 2020-06-01, Ethan Rahn<ethan.rahn at gmail.com> wrote: >> >>> With the upcoming deprecation of ssh-rsa I was trying to see what keys my >>> version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not >>> actually list the suggested algorithms to transition to ( rsa-sha2-256 and >>> rsa-sha2-512 ) even though they are supported. >> "-Q key" are the supported key formats. For the signature algorithms, >> you want "-Q sig". This is documented in the man page. > In addition, from version 8.2 ssh -Q will also accept ssh_config > keywords and emit the formats or algorithms accepted by that keyword,There is also "-Q key-sig" in recent versions (not sure exactly how recent, but 7.6 doesn't have it)
On Tue, 2 Jun 2020 at 18:48, Brian Candler <b.candler at pobox.com> wrote: [about ssh -Q ssh_config_keyword]> There is also "-Q key-sig" in recent versions (not sure exactly how recent, but 7.6 doesn't have it)Added in the same commit (Feb this year), first released in 8.3: https://github.com/openssh/openssh-portable/commit/d4d9e1d40514e2746f9e05335d646512ea1020c6 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Maybe Matching Threads
- "ssh -Q key" does not list rsa-sha2 algorithms
- "ssh -Q key" does not list rsa-sha2 algorithms
- [Bug 2650] New: UpdateHostKeys ignores RSA keys if HostKeyAlgorithms=rsa-sha2-256
- [Bug 2959] New: Disabling just rsa-sha2-512 breaks public key authentication
- Server accepts key: pkalg rsa-sha2-512 vs ssh-rsa