bugzilla-daemon at mindrot.org
2023-Jun-22 13:03 UTC
[Bug 3583] New: server-sig-algs reports incorrect list of algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=3583
Bug ID: 3583
Summary: server-sig-algs reports incorrect list of algorithms
Product: Portable OpenSSH
Version: 8.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: aivars at gmail.com
OpenSSH server (OpenSSH_8.7p1, OpenSSL 3.0.8 7 Feb 2023) in Amazon
Linux (6.1.29-50.88.amzn2023.aarch64) reports more PK algorithms than
are actually allowed.
Modified server configuration (just one PK algorithm allowed):
PubkeyAcceptedAlgorithms rsa-sha2-256
Obtaining debug info:
ssh -vvv -i mykey.pem -o PubkeyAcceptedKeyTypes=rsa-sha2-512
ec2-user@<...IP...>
Debug output:
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25519 at
openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256
at openssh.com,webauthn-sk-ecdsa-sha2-nistp256 at openssh.com>
Additional notes:
Note that Putty is unable to connect with the default connection
options if server is configured like this, because it will always
attempt to use rsa-sha2-512, I'm guessing due to it being sent in
server-sig-algs list.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Aug-29 13:11 UTC
[Bug 3583] server-sig-algs reports incorrect list of algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=3583
daemonhorn at nullcore.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |daemonhorn at nullcore.com
--- Comment #1 from daemonhorn at nullcore.com ---
Might want to provide some more context as attachments including:
- 'sshd -d -E debug.log' output from server side during failure
sessions
- 'sshd -G' output from server side (config)
- 'ssh -Q sig' output from client side of OpenSSH failcase
- entire client side verbose log from both putty and openssh client
from failure sessions
- putty version number and os platform
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Aug-30 01:17 UTC
[Bug 3583] server-sig-algs reports incorrect list of algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=3583
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3726
--> https://bugzilla.mindrot.org/attachment.cgi?id=3726&action=edit
Fix advertisement of signautre algorithms
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Reasonably Related Threads
- [Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)
- [Bug 2680] New: Regression in server-sig-algs offer in 7.4p1 (Deprecation of SHA1 is not being enforced)
- [Bug 3665] New: publickey RSA signature unverified: error in libcrypto to RHEL9 sshd (with LEGACY crypto policy enabled)
- Polycom behind NAT won't register to * server behind ALG
- Anyone used WatchGuard SIP ALG?