openssh bugs - Sep 2021 - [Bug 3348] New: Not possible to disable rsa-sha2-512 in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=3348

            Bug ID: 3348
           Summary: Not possible to disable rsa-sha2-512 in sshd
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ossman at cendio.se

We have an issue? with some old smart cards that don't like the large
signature generated by sha-512. We were hoping to get around this by
disabling rsa-sha2-512 and relying on rsa-sha2-256 instead.
Unfortunately that doesn't work and if you try you just get this in the
log:
> Sep 20 14:35:07 ubuntu2004 sshd[3475]: userauth_pubkey: key type ssh-rsa
not in PubkeyAcceptedKeyTypes [preauth]
After some digging around we find this FIXME in kex_send_ext_info():
> 	/* XXX filter algs list by allowed pubkey/hostbased types */
So apparently this was not entirely unexpected. :)

See this is a gentle prod that this functionality would be nice to have
in a future update. :)

? https://www.cendio.com/bugzilla/show_bug.cgi?id=7599

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3348

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
It's tricky, because PubkeyAcceptedAlgorithms can be overridden by a
sshd_config Match block that is evaluated during user authentication,
i.e. well after key exchange completes.

Can you avoid this on the client side by setting
PubkeyAcceptedAlgorithms there?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3348

--- Comment #2 from Pierre Ossman <ossman at cendio.se> ---
Possibly. Hopefully we can get rid of the old cards and side step the
whole thing. We're just exploring options, and a server side config
would have been the most robust approach. :)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3348

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
This was fixed via commit a7ed931caeb in OpenSSH 9.6, which added a
protocol extension to work around the problem mentioned in comment 1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.