$ ssh -Q HostKeyAlgorithms Unsupported query "HostKeyAlgorithms" $ ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019 On Mon, Mar 2, 2020 at 2:24 PM Christian Hesse <list at eworm.de> wrote:> Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07: > > When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the > > following output: > > > > ssh-ed25519 > > ssh-ed25519-cert-v01 at openssh.com > > ssh-rsa > > ssh-dss > > ecdsa-sha2-nistp256 > > ecdsa-sha2-nistp384 > > ecdsa-sha2-nistp521 > > ssh-rsa-cert-v01 at openssh.com > > ssh-dss-cert-v01 at openssh.com > > ecdsa-sha2-nistp256-cert-v01 at openssh.com > > ecdsa-sha2-nistp384-cert-v01 at openssh.com > > ecdsa-sha2-nistp521-cert-v01 at openssh.com > > > > The thing is, one can invoke both client and server with -o > > HostKeyAlgorithms=rsa-sha2-256, or -o HostKeyAlgorithms=rsa-sha2-512, and > > everything's OK. > > > > Why is it that rsa-sha2-* are not displayed in the output above? In fact, > > no option to -Q elicits them, and they are not mentioned in the OpenSSH > > client and server man pages. > > > > Is this intentional? > > You should query for HostKeyAlgorithms > > ssh -Q HostKeyAlgorithms > > That list should contain rsa-sha2-256 and rsa-sha2-512. > -- > main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" > "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) > putchar(b-1/(/* Chris cc -ox -xc - && ./x > */b/42*2-3)*42);} >
Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:29:> $ ssh -Q HostKeyAlgorithms > Unsupported query "HostKeyAlgorithms" > $ ssh -V > OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019Oh, later versions do support querying any keyword from ssh_config(5) or sshd_config(5) that takes an algorithm list. From an old man page I can not find a query that corresponds to host key algorithms. -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);} -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200302/c1357f2e/attachment-0001.asc>
Is this then an oversight in 7.4p1? On Mon, Mar 2, 2020 at 2:40 PM Christian Hesse <list at eworm.de> wrote:> Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:29: > > $ ssh -Q HostKeyAlgorithms > > Unsupported query "HostKeyAlgorithms" > > $ ssh -V > > OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019 > > Oh, later versions do support querying any keyword from ssh_config(5) or > sshd_config(5) that takes an algorithm list. > > From an old man page I can not find a query that corresponds to host key > algorithms. > -- > main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" > "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) > putchar(b-1/(/* Chris cc -ox -xc - && ./x > */b/42*2-3)*42);} >
Luveh Keraph <1.41421 at gmail.com> writes:> $ ssh -Q HostKeyAlgorithms > Unsupported query "HostKeyAlgorithms" > $ ssh -V > OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019The option was only added to OpenSSH 8.2 and OpenSSH 8.2p1. Where these changes went into ssh.c: + else if (strcmp(optarg, "key-sig") == 0 || + strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 || + strcasecmp(optarg, "HostKeyAlgorithms") == 0 || + strcasecmp(optarg, "HostbasedKeyTypes") == 0 || + strcasecmp(optarg, "HostbasedAcceptedKeyTypes") == 0) + cp = sshkey_alg_list(0, 0, 1, '\n'); That said, after support for RFC 8308 and RFC 8332 has been added to any SSH, it will be able to handle rsa-sha2-256 (recommended) and maybe rsa-sha2-512 (optional). For OpenSSH, I think that goes back to OpenSSH 7.2p1 as it was NOT present in OpenSSH 7.1p2. -- Mark> > On Mon, Mar 2, 2020 at 2:24 PM Christian Hesse <list at eworm.de> wrote: > > > Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07: > > > When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the > > > following output: > > > > > > ssh-ed25519 > > > ssh-ed25519-cert-v01 at openssh.com > > > ssh-rsa > > > ssh-dss > > > ecdsa-sha2-nistp256 > > > ecdsa-sha2-nistp384 > > > ecdsa-sha2-nistp521 > > > ssh-rsa-cert-v01 at openssh.com > > > ssh-dss-cert-v01 at openssh.com > > > ecdsa-sha2-nistp256-cert-v01 at openssh.com > > > ecdsa-sha2-nistp384-cert-v01 at openssh.com > > > ecdsa-sha2-nistp521-cert-v01 at openssh.com > > > > > > The thing is, one can invoke both client and server with -o > > > HostKeyAlgorithms=rsa-sha2-256, or -o HostKeyAlgorithms=rsa-sha2-512, and > > > everything's OK. > > > > > > Why is it that rsa-sha2-* are not displayed in the output above? In fact, > > > no option to -Q elicits them, and they are not mentioned in the OpenSSH > > > client and server man pages. > > > > > > Is this intentional? > > > > You should query for HostKeyAlgorithms > > > > ssh -Q HostKeyAlgorithms > > > > That list should contain rsa-sha2-256 and rsa-sha2-512. > > -- > > main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" > > "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) > > putchar(b-1/(/* Chris cc -ox -xc - && ./x > > */b/42*2-3)*42);} > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://urldefense.com/v3/__https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev__;!!NEt6yMaO-gk!VAgRtJkAdob2S7LMqJshBrggHloMnysvUViwgUe6rvEZbiSQEc5FVoMrJCjc7g$
My point is that OpenSSH 7.4p1 already supported rsa-sha2-256 and rsa-sha2-512, but that information does not seem to be anywhere in the documentation and help utilities shipped with that version, as far as I can tell. On Mon, Mar 2, 2020 at 2:51 PM Mark D. Baushke <mdb at juniper.net> wrote:> Luveh Keraph <1.41421 at gmail.com> writes: > > > $ ssh -Q HostKeyAlgorithms > > Unsupported query "HostKeyAlgorithms" > > $ ssh -V > > OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019 > > The option was only added to OpenSSH 8.2 and OpenSSH 8.2p1. > > Where these changes went into ssh.c: > > + else if (strcmp(optarg, "key-sig") == 0 || > + strcasecmp(optarg, "PubkeyAcceptedKeyTypes") > == 0 || > + strcasecmp(optarg, "HostKeyAlgorithms") == 0 || > + strcasecmp(optarg, "HostbasedKeyTypes") == 0 || > + strcasecmp(optarg, > "HostbasedAcceptedKeyTypes") == 0) > + cp = sshkey_alg_list(0, 0, 1, '\n'); > > That said, after support for RFC 8308 and RFC 8332 has been added to > any SSH, it will be able to handle rsa-sha2-256 (recommended) and maybe > rsa-sha2-512 (optional). > > For OpenSSH, I think that goes back to OpenSSH 7.2p1 as it was NOT > present in OpenSSH 7.1p2. > > -- Mark > > > > > On Mon, Mar 2, 2020 at 2:24 PM Christian Hesse <list at eworm.de> wrote: > > > > > Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07: > > > > When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get > the > > > > following output: > > > > > > > > ssh-ed25519 > > > > ssh-ed25519-cert-v01 at openssh.com > > > > ssh-rsa > > > > ssh-dss > > > > ecdsa-sha2-nistp256 > > > > ecdsa-sha2-nistp384 > > > > ecdsa-sha2-nistp521 > > > > ssh-rsa-cert-v01 at openssh.com > > > > ssh-dss-cert-v01 at openssh.com > > > > ecdsa-sha2-nistp256-cert-v01 at openssh.com > > > > ecdsa-sha2-nistp384-cert-v01 at openssh.com > > > > ecdsa-sha2-nistp521-cert-v01 at openssh.com > > > > > > > > The thing is, one can invoke both client and server with -o > > > > HostKeyAlgorithms=rsa-sha2-256, or -o > HostKeyAlgorithms=rsa-sha2-512, and > > > > everything's OK. > > > > > > > > Why is it that rsa-sha2-* are not displayed in the output above? In > fact, > > > > no option to -Q elicits them, and they are not mentioned in the > OpenSSH > > > > client and server man pages. > > > > > > > > Is this intentional? > > > > > > You should query for HostKeyAlgorithms > > > > > > ssh -Q HostKeyAlgorithms > > > > > > That list should contain rsa-sha2-256 and rsa-sha2-512. > > > -- > > > main(a){char*c=/* Schoene Gruesse > */"B?IJj;MEH" > > > "CX:;",b;for(a/* Best regards my address: > */=0;b=c[a++];) > > > putchar(b-1/(/* Chris cc -ox -xc - && ./x > > > */b/42*2-3)*42);} > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > > https://urldefense.com/v3/__https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev__;!!NEt6yMaO-gk!VAgRtJkAdob2S7LMqJshBrggHloMnysvUViwgUe6rvEZbiSQEc5FVoMrJCjc7g$ >