Damien Miller
2018-Oct-11 01:19 UTC
no mutual signature algorithm with RSA user certs client 7.8, server 7.4
On Thu, 11 Oct 2018, Adam Eijdenberg wrote:> On Thu, Oct 11, 2018 at 12:13 PM Damien Miller <djm at mindrot.org> wrote: > > Could you try this? > > > > diff --git a/sshconnect2.c b/sshconnect2.c > > index f104408..1d2906f 100644 > > --- a/sshconnect2.c > > +++ b/sshconnect2.c > > @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) > > * newer (SHA2) algorithms. > > */ > > if (ssh == NULL || ssh->kex->server_sig_algs == NULL || > > - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { > > + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || > > + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { > > /* Filter base key signature alg against our configuration */ > > return match_list(sshkey_ssh_name(key), > > options.pubkey_key_types, NULL); > > That fixes it for me, thank you. Would you still like a copy of the > previous failing client trace?No, I think I figured it out :)
Adam Eijdenberg
2018-Oct-11 01:45 UTC
no mutual signature algorithm with RSA user certs client 7.8, server 7.4
On Thu, Oct 11, 2018 at 12:19 PM Damien Miller <djm at mindrot.org> wrote:> No, I think I figured it out :)Thanks again for your help. I think there are still 2 more sets of duplicated lines that can go. ie I think we can delete: diff --git a/sshkey.c b/sshkey.c index 21e61a2c..6555c5ef 100644 --- a/sshkey.c +++ b/sshkey.c @@ -124,10 +124,6 @@ static const struct keytype keytypes[] = { "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, { "ssh-dss-cert-v01 at openssh.com", "DSA-CERT", NULL, KEY_DSA_CERT, 0, 1, 0 }, - { "ssh-rsa-cert-v01 at openssh.com", "RSA-CERT", NULL, - KEY_RSA_CERT, 0, 1, 0 }, - { "ssh-dss-cert-v01 at openssh.com", "DSA-CERT", NULL, - KEY_DSA_CERT, 0, 1, 0 }, # ifdef OPENSSL_HAS_ECC { "ecdsa-sha2-nistp256-cert-v01 at openssh.com", "ECDSA-CERT", NULL, KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
Damien Miller
2018-Oct-11 02:02 UTC
no mutual signature algorithm with RSA user certs client 7.8, server 7.4
applied - thanks On Thu, 11 Oct 2018, Adam Eijdenberg wrote:> On Thu, Oct 11, 2018 at 12:19 PM Damien Miller <djm at mindrot.org> wrote: > > No, I think I figured it out :) > > Thanks again for your help. I think there are still 2 more sets of > duplicated lines that can go. ie I think we can delete: > > diff --git a/sshkey.c b/sshkey.c > index 21e61a2c..6555c5ef 100644 > --- a/sshkey.c > +++ b/sshkey.c > @@ -124,10 +124,6 @@ static const struct keytype keytypes[] = { > "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, > { "ssh-dss-cert-v01 at openssh.com", "DSA-CERT", NULL, > KEY_DSA_CERT, 0, 1, 0 }, > - { "ssh-rsa-cert-v01 at openssh.com", "RSA-CERT", NULL, > - KEY_RSA_CERT, 0, 1, 0 }, > - { "ssh-dss-cert-v01 at openssh.com", "DSA-CERT", NULL, > - KEY_DSA_CERT, 0, 1, 0 }, > # ifdef OPENSSL_HAS_ECC > { "ecdsa-sha2-nistp256-cert-v01 at openssh.com", "ECDSA-CERT", NULL, > KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, >