Mailing List Archive

[Bug 3213] openssh 8.3p1 will not use any type of RSA key for legacy servers if ssh-rsa is not in PubkeyAcceptedKeyTypes
https://bugzilla.mindrot.org/show_bug.cgi?id=3213

--- Comment #1 from Gordon Messmer <gordon.messmer@gmail.com> ---
For example, I have an rsa-sha2-256 private key. If I connect to a
server running openssh 7.4, and PubkeyAcceptedKeyTypes=ssh-rsa, then
the key is correctly handled by the openssh 8.3 client. However, if
PubkeyAcceptedKeyTypes=rsa-sha2-256, then the key cannot be used.

The openssh 8.3 client accepts the same key and configuration when used
to connect to openssh >= 7.8 servers.


$ ssh-keygen -l -f ~/.ssh/id_rsa_2015-11-02
4096 SHA256:.... gordon (RSA)

$ ssh -oPubkeyAcceptedKeyTypes=ssh-rsa -i ~/.ssh/id_rsa_2015-11-02
openssh74
Enter passphrase for key '/home/gordon/.ssh/id_rsa_2015-11-02':
gordon@openssh74:~$ logout
Connection to 192.168.122.11 closed.

$ ssh -oPubkeyAcceptedKeyTypes=rsa-sha2-256 -i ~/.ssh/id_rsa_2015-11-02
openssh74
gordon@openssh74's password:
gordon@openssh74:~$ logout
Connection to 192.168.122.11 closed.

$ ssh -oPubkeyAcceptedKeyTypes=rsa-sha2-256 -i ~/.ssh/id_rsa_2015-11-02
openssh78
Enter passphrase for key '/home/gordon/.ssh/id_rsa_2015-11-02':
gordon@openssh78$

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3213] openssh 8.3p1 will not use any type of RSA key for legacy servers if ssh-rsa is not in PubkeyAcceptedKeyTypes [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Jakub Jelen <jjelen@redhat.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen@redhat.com

--- Comment #2 from Jakub Jelen <jjelen@redhat.com> ---
Please, have a look to the description in the following comment:

https://bugzilla.redhat.com/show_bug.cgi?id=1881301#c27

I believe this is a bug only in OpenSSH 7.4p1, which is in Debian 9 and
which is the only version that reports wrong server-sig-algs in the
extension. This means, either long-shot to fix this in Debian 9 (by
mostly reverting [1] as we did in RHEL7), the another long shot is
implement a compat fix for this particular openssh version in upstream
(not sure if it is worth it for that old release, but Debian 9 is still
quite common).

[1] https://github.com/openssh/openssh-portable/commit/130f5d

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3213] openssh 8.3p1 will not use any type of RSA key for legacy servers if ssh-rsa is not in PubkeyAcceptedKeyTypes [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Gordon Messmer <gordon.messmer@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #3446|0 |1
is obsolete| |

--- Comment #3 from Gordon Messmer <gordon.messmer@gmail.com> ---
Created attachment 3448
--> https://bugzilla.mindrot.org/attachment.cgi?id=3448&action=edit
Use RSA keys for OpenSSH 7.4 servers, if local policy permits

Jakub Jelen helped me understand the code a little better, and to
understand that the premise of the previous patch was flawed. This
version more specifically targets the lack of SHA2 hashes in
server-sig-algs when connecting to OpenSSH 7.4.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs