Damien Miller
2018-Oct-11 01:13 UTC
no mutual signature algorithm with RSA user certs client 7.8, server 7.4
On Thu, 11 Oct 2018, Damien Miller wrote:> On Thu, 11 Oct 2018, Adam Eijdenberg wrote: > > > Thanks for looking into. I wasn't able to get the patch to apply > > cleanly to the portable source for whatever reason, so I manually made > > the changes and got a little further. I now get past the "no mutual > > signature algorithm" client message, and get an error on the server > > side (OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017): > > > > userauth_pubkey: unsupported public key algorithm: > > rsa-sha2-512-cert-v01 at openssh.com [preauth] > > Could you sent me a debug trace from the client for this? We shouldn't > send this algorithm name unless the server supports it.Could you try this? diff --git a/sshconnect2.c b/sshconnect2.c index f104408..1d2906f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) * newer (SHA2) algorithms. */ if (ssh == NULL || ssh->kex->server_sig_algs == NULL || - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { /* Filter base key signature alg against our configuration */ return match_list(sshkey_ssh_name(key), options.pubkey_key_types, NULL);
Adam Eijdenberg
2018-Oct-11 01:18 UTC
no mutual signature algorithm with RSA user certs client 7.8, server 7.4
On Thu, Oct 11, 2018 at 12:13 PM Damien Miller <djm at mindrot.org> wrote:> Could you try this? > > diff --git a/sshconnect2.c b/sshconnect2.c > index f104408..1d2906f 100644 > --- a/sshconnect2.c > +++ b/sshconnect2.c > @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) > * newer (SHA2) algorithms. > */ > if (ssh == NULL || ssh->kex->server_sig_algs == NULL || > - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { > + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || > + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { > /* Filter base key signature alg against our configuration */ > return match_list(sshkey_ssh_name(key), > options.pubkey_key_types, NULL);That fixes it for me, thank you. Would you still like a copy of the previous failing client trace?
Damien Miller
2018-Oct-11 01:19 UTC
no mutual signature algorithm with RSA user certs client 7.8, server 7.4
On Thu, 11 Oct 2018, Adam Eijdenberg wrote:> On Thu, Oct 11, 2018 at 12:13 PM Damien Miller <djm at mindrot.org> wrote: > > Could you try this? > > > > diff --git a/sshconnect2.c b/sshconnect2.c > > index f104408..1d2906f 100644 > > --- a/sshconnect2.c > > +++ b/sshconnect2.c > > @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) > > * newer (SHA2) algorithms. > > */ > > if (ssh == NULL || ssh->kex->server_sig_algs == NULL || > > - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { > > + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || > > + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { > > /* Filter base key signature alg against our configuration */ > > return match_list(sshkey_ssh_name(key), > > options.pubkey_key_types, NULL); > > That fixes it for me, thank you. Would you still like a copy of the > previous failing client trace?No, I think I figured it out :)
Damien Miller
2018-Oct-11 04:06 UTC
no mutual signature algorithm with RSA user certs client 7.8, server 7.4
On Thu, 11 Oct 2018, Adam Eijdenberg wrote:> On Thu, Oct 11, 2018 at 12:13 PM Damien Miller <djm at mindrot.org> wrote: > > Could you try this? > > > > diff --git a/sshconnect2.c b/sshconnect2.c > > index f104408..1d2906f 100644 > > --- a/sshconnect2.c > > +++ b/sshconnect2.c > > @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) > > * newer (SHA2) algorithms. > > */ > > if (ssh == NULL || ssh->kex->server_sig_algs == NULL || > > - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { > > + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || > > + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { > > /* Filter base key signature alg against our configuration */ > > return match_list(sshkey_ssh_name(key), > > options.pubkey_key_types, NULL); > > That fixes it for me, thank you. Would you still like a copy of the > previous failing client trace?That fix is committed and will be in the OpenSSH 7.9 release. Thanks for catching those two bugs in time! -d
Possibly Parallel Threads
- no mutual signature algorithm with RSA user certs client 7.8, server 7.4
- no mutual signature algorithm with RSA user certs client 7.8, server 7.4
- no mutual signature algorithm with RSA user certs client 7.8, server 7.4
- Call for testing: OpenSSH 6.9
- certificates keys on pkcs11 devices