search for: sha2

...ersion "OpenSSH_7.8p1, LibreSSL 2.7.3" is unable to use our user SSH RSA certificates to authenticate to our servers (which are running "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017"). We see this error on the client side: debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> ... debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key debug1: send_pubkey_test: no mutual signature algorithm (So far as I can tell, neither the server nor client are overriding default algorithms in their respective configurations) I added some printf debugging t...

...S 8 server: # Accept also DSA keys PubkeyAcceptedKeyTypes=+ssh-dss and systemctl restart sshd I kept getting in journal the message: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] I saw that the sshd process had started with the option ... -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384, ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-cert-v01 at openssh.co...

...raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0xb6b84600 in __GI_abort () at abort.c:79 #2 0x7f715c00 in __subvsi3 (a=<optimized out>, b=<optimized out>) at ../../../gcc-7-20180201/libgcc/libgcc2.c:119 #3 0x7f713494 in strlcpy ( dst=0x7fff2428 "ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v...

...22 14:34:03 myhostname sshd[3905]: debug3: privsep user:group > > 106:65534 [preauth] > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: permanently_set_uid: > > 106/65534 [preauth] > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: list_hostkey_types: > > ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256 [preauth] > > Nov 22 14:34:03 myhostname sshd[3905]: debug3: send packet: type 20 [preauth] > > Nov 22 14:34:03 myhostname sshd[3905]: debug1: SSH2_MSG_KEXINIT sent [preauth] > > > > Can you help? > > That ~13-year-old version of db...

...g1: match: OpenSSH_8.4p1 Debian-2~bpo10+1 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to domain.com:22 as 'user' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c debug2:...

...x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to {REDACTED}:22 as 'ryantm' debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-ni...

...Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: adrian.jarc at aviatnet.com If I disable certain mac algorithms on sshd and then try to connect (on same device) to ssh with thiose disabled algorithms, SSH allows me to do this. Scenario: I have disabled hmac-sha2-256 in sshd config on device. Then I try establishing connection via ssh client on same device with '-m hmac-sha2-256' flag. Instead of connection being rejected because mac algorithm is not supported on server, Client just ignores this flag and connects. Logs of what happens: " ssh -...

When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the following output: ssh-ed25519 ssh-ed25519-cert-v01 at openssh.com ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa-cert-v01 at openssh.com ssh-dss-cert-v01 at openssh.com ecdsa-sha2-nistp256-cert-v01 at openssh.com ecdsa-sha2-nistp384-cert-v01 at openssh.com ecdsa-sha2-nistp521-cert-v01 at openssh.com The thing is, one can invoke both client and server...

...the following change was made to the `sshd_config` file: `MACs -*md5*,*sha1,*sha1-*,*-96`. When testing from client with `-m hmac-sha1` results are as expected: `Unable to negotiate with x.x.x.x port 22: no matching MAC found. Their offer: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512`. However, doing the same exact thing on the system with this configuration, localhost connection succeeds. It seems on the surface that this inconsistency may be a bu...

...Ssl Oct06 0:03 /usr/sbin/NetworkManager --no-daemon root 42 0.0 0.0 78536 4124 ? Ss Oct06 0:00 /usr/sbin/sshd -D -oCiphers=aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256 -ctr,aes256-cbc,aes128-gcm at openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac- sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms= curve25519-sha256,curve25519-sha256 at libssh.org,ec...

...eptedKeyTypes=+ssh-dss > > and > systemctl restart sshd > > I kept getting in journal the message: > userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] > > I saw that the sshd process had started with the option > ... -oPubkeyAcceptedKeyTypes=rsa-sha2-256,ecdsa-sha2-nistp256, > ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384, > ecdsa-sha2-nistp384-cert-v01 at openssh.com,rsa-sha2-512,ecdsa-sha2-nistp521, > ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519, > ssh-ed25519-cert-v01 at openssh.com,ssh-rsa,ssh-rsa-ce...

...te_host as 'user1' debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /Users/user1/.ssh/known_hosts:3 debug3: load_hostkeys: loaded 1 keys from remote_host debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh...

...3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2 -nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange -sha1,diffie-hellman-group14-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-s...

Hi, Following the fix [1] being released on 7.5, now SHA2 RSA signature methods work properly. On the other hand it is still not possible to disable SHA1 RSA alone (as an example, as SHA2-256 or SHA2-512 could also potentially be not desirable), where it is considered insecure or undesirable. I am proposing to add a mechanism, and happy to submit a patc...

...eraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07: > > When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the > > following output: > > > > ssh-ed25519 > > ssh-ed25519-cert-v01 at openssh.com > > ssh-rsa > > ssh-dss > > ecdsa-sha2-nistp256 > > ecdsa-sha2-nistp384 > > ecdsa-sha2-nistp521 > > ssh-rsa-cert-v01 at openssh.com > > ssh-dss-cert-v01 at openssh.com > > ecdsa-sha2-nistp256-cert-v01 at openssh.com > > ecdsa-sha2-nistp384-cert-v01 at openssh.com > > ecdsa-sha2-nistp521-cert-v01...

Hi, I'm having a problem when I add "HostKeyAlgorithms +ssh-dss" to the ssh_config file the host key will always negotiate to a wrong one. In my case it will negotiate to "ecdsa-sha2-nistp256". The client was already configured with the servers rsa public key, before the change I added to the ssh_config file I could see from the debug that server and client will negotiate to use ssh-rsa as expected. After change unfortunately the client and server will negotiate to use ecd...

..._hostkeys: fopen /home/jfp/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /usr/local/etc/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /usr/local/etc/ssh_known_hosts2: No such file or directory debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local...

...; debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts" > debug3: record_hostkey: found key type ECDSA in file > /Users/user1/.ssh/known_hosts:3 > debug3: load_hostkeys: loaded 1 keys from remote_host > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2- > nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com > ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit:...

Hello. I am running OpenSSH 7.9p1 on my client and server. ssh-keyscan shows the server has ssh-rsa, ssh-ed25519, and ecdsa-sha2-nistp256 host keys. My /etc/ssh/ssh_known_hosts file contains the server's ssh-ed25519 host key. When I try to SSH to the server I get this error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@...

...bug3: record_hostkey: found key type ED25519 in file /home/aixtools/openbsd/openssh-7.7p1/known_hosts:2 debug3: load_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp38...