search for: ssh_bug_sigtype

...) algorithms. */ if (ssh == NULL || ssh->kex->server_sig_algs == NULL || - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { /* Filter base key signature alg against our configuration */ return match_list(sshkey_ssh_name(key), options.pubkey_key_types, NULL);

...correct key type name when connected to openssh server < 7.8 I could be wrong about all of the following, so let me just prefix everything with, "To the best of my understanding:" In OpenSSH 7.8, the semantics of PubkeyAcceptedKeyTypes was changed, and older servers were marked with SSH_BUG_SIGTYPE. For older servers, ssh->kex->server_sig_algs appears to store a list of key types the server supports, while on newer servers it stores a list of RSA signature types that are supported. sshconnect2.c:key_sig_algorithm will return a copy of the name of an SSH key's type. For everything...

...;kex->server_sig_algs == NULL || > > - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { > > + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || > > + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { > > /* Filter base key signature alg against our configuration */ > > return match_list(sshkey_ssh_name(key), > > options.pubkey_key_types, NULL); > > That fixes it for me, thank you. Would you still like a copy of th...

On Thu, Oct 11, 2018 at 10:41 AM Damien Miller <djm at mindrot.org> wrote: > On Wed, 10 Oct 2018, Adam Eijdenberg wrote: > > We see this error on the client side: > > > > debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> > > ... > > debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key > > debug1: send_pubkey_test: no