bugzilla-daemon at mindrot.org
2021-Sep-20 14:51 UTC
[Bug 3348] New: Not possible to disable rsa-sha2-512 in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=3348 Bug ID: 3348 Summary: Not possible to disable rsa-sha2-512 in sshd Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: ossman at cendio.se We have an issue? with some old smart cards that don't like the large signature generated by sha-512. We were hoping to get around this by disabling rsa-sha2-512 and relying on rsa-sha2-256 instead. Unfortunately that doesn't work and if you try you just get this in the log:> Sep 20 14:35:07 ubuntu2004 sshd[3475]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]After some digging around we find this FIXME in kex_send_ext_info():> /* XXX filter algs list by allowed pubkey/hostbased types */So apparently this was not entirely unexpected. :) See this is a gentle prod that this functionality would be nice to have in a future update. :) ? https://www.cendio.com/bugzilla/show_bug.cgi?id=7599 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Sep-21 01:21 UTC
[Bug 3348] Not possible to disable rsa-sha2-512 in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=3348 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- It's tricky, because PubkeyAcceptedAlgorithms can be overridden by a sshd_config Match block that is evaluated during user authentication, i.e. well after key exchange completes. Can you avoid this on the client side by setting PubkeyAcceptedAlgorithms there? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Sep-21 06:47 UTC
[Bug 3348] Not possible to disable rsa-sha2-512 in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=3348 --- Comment #2 from Pierre Ossman <ossman at cendio.se> --- Possibly. Hopefully we can get rid of the old cards and side step the whole thing. We're just exploring options, and a server side config would have been the most robust approach. :) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-04 14:12 UTC
[Bug 3348] Not possible to disable rsa-sha2-512 in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=3348 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from Damien Miller <djm at mindrot.org> --- This was fixed via commit a7ed931caeb in OpenSSH 9.6, which added a protocol extension to work around the problem mentioned in comment 1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.