bugzilla-daemon at mindrot.org
2021-Sep-20 14:51 UTC
[Bug 3348] New: Not possible to disable rsa-sha2-512 in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=3348
Bug ID: 3348
Summary: Not possible to disable rsa-sha2-512 in sshd
Product: Portable OpenSSH
Version: -current
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: ossman at cendio.se
We have an issue? with some old smart cards that don't like the large
signature generated by sha-512. We were hoping to get around this by
disabling rsa-sha2-512 and relying on rsa-sha2-256 instead.
Unfortunately that doesn't work and if you try you just get this in the
log:
> Sep 20 14:35:07 ubuntu2004 sshd[3475]: userauth_pubkey: key type ssh-rsa
not in PubkeyAcceptedKeyTypes [preauth]
After some digging around we find this FIXME in kex_send_ext_info():
> /* XXX filter algs list by allowed pubkey/hostbased types */
So apparently this was not entirely unexpected. :)
See this is a gentle prod that this functionality would be nice to have
in a future update. :)
? https://www.cendio.com/bugzilla/show_bug.cgi?id=7599
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Sep-21 01:21 UTC
[Bug 3348] Not possible to disable rsa-sha2-512 in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=3348
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
It's tricky, because PubkeyAcceptedAlgorithms can be overridden by a
sshd_config Match block that is evaluated during user authentication,
i.e. well after key exchange completes.
Can you avoid this on the client side by setting
PubkeyAcceptedAlgorithms there?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Sep-21 06:47 UTC
[Bug 3348] Not possible to disable rsa-sha2-512 in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=3348 --- Comment #2 from Pierre Ossman <ossman at cendio.se> --- Possibly. Hopefully we can get rid of the old cards and side step the whole thing. We're just exploring options, and a server side config would have been the most robust approach. :) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.