openssh bugs - Nov 2015 - [Bug 2506] New: CA-signed keys broken

https://bugzilla.mindrot.org/show_bug.cgi?id=2506

            Bug ID: 2506
           Summary: CA-signed keys broken
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: watt.john.runyon at gmail.com

Created attachment 2757
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2757&action=edit
ssh -vvv output

After upgrading from 6.9 to 7.1, CA-signed keys are broken. ssh fails
to verify a CA-signed host key and fails to load/use a CA-signed user
key. Attached output of ssh -vvv. Note particularly lines 9-10, 68-71.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2506

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
   Attachment #2757|application/octet-stream    |text/plain
          mime type|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2506

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
The server in question is offering the legacy certificate format that
was removed in OpenSSH 7.0
> debug2: kex_parse_kexinit: ssh-rsa,ssh-rsa-cert-v00 at openssh.com,ssh-dss
The legacy keys haven't been the default since OpenSSH 5.6.

The remote version (OpenSSH 6.0) supports the current cert format fine,
so regenerating your certificates should get you working.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2506

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.