bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-23 10:43 UTC
[Bug 2959] New: Disabling just rsa-sha2-512 breaks public key authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2959 Bug ID: 2959 Summary: Disabling just rsa-sha2-512 breaks public key authentication Product: Portable OpenSSH Version: 7.9p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: ossman at cendio.se Put this in sshd_config:> PubkeyAcceptedKeyTypes -rsa-sha2-512And any client supporting it will fail to authenticate rather than using rsa-sha2-256 or ssh-rsa. You also get this somewhat misleading log entry:> Jan 23 11:38:10 ossman.lkpg.cendio.se sshd[26633]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]The problem is that the client looks at the supported algorithms reported during the key exchange. That list is not filtered in any way. So the server reports it supports rsa-sha2-512. The client trusts the server and uses rsa-sha2-512. The server then promptly rejects it and the client doesn't try any other algo. My use case was just testing, but there might be more realistic scenarios where it can cause problems. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-18 02:40 UTC
[Bug 2959] Disabling just rsa-sha2-512 breaks public key authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2959 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- AFAIK there's no way in the protocol to handle this. The server can signal what public key algorithms it supports to the client, but that list is shared between both publickey and hostbased authentication methods. A potential workaround might be to take the union of the enabled signature algorithms for both and send that, but unfortunately we don't know which methods are enabled until too late because of the Match directive in sshd_config - they are evaluated after the supported-sig-algs message is sent... -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-06 16:30 UTC
[Bug 2959] Disabling just rsa-sha2-512 breaks public key authentication
https://bugzilla.mindrot.org/show_bug.cgi?id=2959 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #2 from Damien Miller <djm at mindrot.org> --- We implemented a protocol extension to fix this in OpenSSH 9.5: * ssh(1), sshd(8): introduce a protocol extension to allow renegotiation of acceptable signature algorithms for public key authentication after the server has learned the username being used for authentication. This allows varying sshd_config(5) PubkeyAcceptedAlgorithms in a "Match user" block. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Reasonably Related Threads
- [Bug 3253] New: ssh-keygen man page still lists deprecated key types for -t
- "ssh -Q key" does not list rsa-sha2 algorithms
- "ssh -Q key" does not list rsa-sha2 algorithms
- [Bug 2089] New: filter out bad host key algorithms
- ssh-ed25519 and ecdsa-sha2-nistp256 host keys