bugzilla-daemon at mindrot.org
2023-Jun-22 13:03 UTC
[Bug 3583] New: server-sig-algs reports incorrect list of algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=3583 Bug ID: 3583 Summary: server-sig-algs reports incorrect list of algorithms Product: Portable OpenSSH Version: 8.7p1 Hardware: Other OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: aivars at gmail.com OpenSSH server (OpenSSH_8.7p1, OpenSSL 3.0.8 7 Feb 2023) in Amazon Linux (6.1.29-50.88.amzn2023.aarch64) reports more PK algorithms than are actually allowed. Modified server configuration (just one PK algorithm allowed): PubkeyAcceptedAlgorithms rsa-sha2-256 Obtaining debug info: ssh -vvv -i mykey.pem -o PubkeyAcceptedKeyTypes=rsa-sha2-512 ec2-user@<...IP...> Debug output: debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519 at openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256 at openssh.com,webauthn-sk-ecdsa-sha2-nistp256 at openssh.com> Additional notes: Note that Putty is unable to connect with the default connection options if server is configured like this, because it will always attempt to use rsa-sha2-512, I'm guessing due to it being sent in server-sig-algs list. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Aug-29 13:11 UTC
[Bug 3583] server-sig-algs reports incorrect list of algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=3583 daemonhorn at nullcore.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |daemonhorn at nullcore.com --- Comment #1 from daemonhorn at nullcore.com --- Might want to provide some more context as attachments including: - 'sshd -d -E debug.log' output from server side during failure sessions - 'sshd -G' output from server side (config) - 'ssh -Q sig' output from client side of OpenSSH failcase - entire client side verbose log from both putty and openssh client from failure sessions - putty version number and os platform -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Aug-30 01:17 UTC
[Bug 3583] server-sig-algs reports incorrect list of algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=3583 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #2 from Damien Miller <djm at mindrot.org> --- Created attachment 3726 --> https://bugzilla.mindrot.org/attachment.cgi?id=3726&action=edit Fix advertisement of signautre algorithms -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)
- [Bug 3355] New: no-touch-required flag not restored from hardware token
- [Bug 2680] New: Regression in server-sig-algs offer in 7.4p1 (Deprecation of SHA1 is not being enforced)
- kerberos default_ccache_name with sssd
- [Bug 2547] New: ssh-ext-info: missing server signature algorithms