openssh bugs - Jan 2019 - [Bug 2959] New: Disabling just rsa-sha2-512 breaks public key authentication

https://bugzilla.mindrot.org/show_bug.cgi?id=2959

            Bug ID: 2959
           Summary: Disabling just rsa-sha2-512 breaks public key
                    authentication
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ossman at cendio.se

Put this in sshd_config:
> PubkeyAcceptedKeyTypes -rsa-sha2-512
And any client supporting it will fail to authenticate rather than
using rsa-sha2-256 or ssh-rsa.

You also get this somewhat misleading log entry:
> Jan 23 11:38:10 ossman.lkpg.cendio.se sshd[26633]: userauth_pubkey: key
type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]
The problem is that the client looks at the supported algorithms
reported during the key exchange. That list is not filtered in any way.
So the server reports it supports rsa-sha2-512. The client trusts the
server and uses rsa-sha2-512. The server then promptly rejects it and
the client doesn't try any other algo.


My use case was just testing, but there might be more realistic
scenarios where it can cause problems.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2959

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
AFAIK there's no way in the protocol to handle this. The server can
signal what public key algorithms it supports to the client, but that
list is shared between both publickey and hostbased authentication
methods.

A potential workaround might be to take the union of the enabled
signature algorithms for both and send that, but unfortunately we don't
know which methods are enabled until too late because of the Match
directive in sshd_config - they are evaluated after the
supported-sig-algs message is sent...

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2959

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
We implemented a protocol extension to fix this in OpenSSH 9.5:

 * ssh(1), sshd(8): introduce a protocol extension to allow
   renegotiation of acceptable signature algorithms for public key
   authentication after the server has learned the username being
   used for authentication. This allows varying sshd_config(5)
   PubkeyAcceptedAlgorithms in a "Match user" block.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.