Aham Brahmasmi
2019-Apr-26 20:09 UTC
sshd_config: PubkeyAcceptedKeyTypes option does not seem to have any effect
Namaste, Setting PubkeyAcceptedKeyTypes in the sshd_config does not seem to have any effect on the selection of server signature algorithms (server-sig-algs). Further, the certificate variants of the algorithms are not selected at all. Steps: ON SERVER $ cat /etc/ssh/sshd_config ... PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519 ... $ doas sshd -t $ doas sshd -T ... pubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519 ... $ doas rcctl reload sshd ON CLIENT $ ssh -v user at server ... debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa, rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256, ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> ... Layman analysis: In function kex_send_ext_info in src/usr.bin/ssh/kex.c [1], there is a comment which points to the need to filter the list of algorithms based on the PubkeyAcceptedKeyTypes. Further, the sshkey_alg_list function has the following signature [2]: char * sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) In function kex_send_ext_info, a 0 is passed for the "certs_only" parameter in the call to sshkey_alg_list, which seems to imply that the certificate algorithms are not to be returned by the sshkey_alg_list function call. /src/usr.bin/ssh/kex.c ... static int kex_send_ext_info(struct ssh *ssh) { int r; char *algs; if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL) return SSH_ERR_ALLOC_FAIL; /* XXX filter algs list by allowed pubkey/hostbased types */ if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 || (r = sshpkt_put_u32(ssh, 1)) != 0 || (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 || (r = sshpkt_put_cstring(ssh, algs)) != 0 || (r = sshpkt_send(ssh)) != 0) goto out; /* success */ r = 0; out: free(algs); return r; } ... Dhanyavaad. Regards, ab [1] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.150&content-type=text/x-cvsweb-markup [2] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey.c?rev=1.73&content-type=text/x-cvsweb-markup ---------|---------|---------|---------|---------|---------|---------|--