Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
"ssh -Q key" does not list rsa-sha2 algorithms
ethan.rahn at gmail
Jun 1, 2020, 11:11 AM
Post #1 of 12 (1040 views)
Permalink
With the upcoming deprecation of ssh-rsa I was trying to see what keys my
version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not
actually list the suggested algorithms to transition to ( rsa-sha2-256 and
rsa-sha2-512 ) even though they are supported. Looking through the code, it
looks like an issue with the arguments passed to sshkey_alg_list in ssh.c
where it should be as below:

case 'Q':
cp = NULL;
if (strcmp(optarg, "cipher") == 0)
cp = cipher_alg_list('\n', 0);
else if (strcmp(optarg, "cipher-auth") == 0)
cp = cipher_alg_list('\n', 1);
else if (strcmp(optarg, "mac") == 0)
cp = mac_alg_list('\n');
else if (strcmp(optarg, "kex") == 0)
cp = kex_alg_list('\n');
else if (strcmp(optarg, "key") == 0)
- cp = sshkey_alg_list(0, 0, 0, '\n');
+ cp = sshkey_alg_list(0, 0, 1, '\n');

is that right? I validated that the same code exists in HEAD as of this
morning. If so it should be a pretty simple bugfix I would be happy to make
or to let someone else from the dev team make if they have a spare moment.

It's totally a minor quality-of-life issue for understanding algorithms
supported compared to the other threads I saw about corner cases where the
rsa-sha2 family of algos is not used during negotiation, but I can
understand how this happens. The sshkey_alg_list call has the first 2 flags
be excluding bools ( set it to true to limit things ) whereas the third one
is an inclusive bool ( set it to true to include things ).

To close, love openssh, love the work the team does, just doing some minor
nitpicking :-)

Cheers,

Ethan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
naddy at mips
Jun 1, 2020, 1:04 PM
Post #2 of 12 (1040 views)
Permalink
On 2020-06-01, Ethan Rahn <ethan.rahn@gmail.com> wrote:

> With the upcoming deprecation of ssh-rsa I was trying to see what keys my
> version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not
> actually list the suggested algorithms to transition to ( rsa-sha2-256 and
> rsa-sha2-512 ) even though they are supported.

"-Q key" are the supported key formats. For the signature algorithms,
you want "-Q sig". This is documented in the man page.

--
Christian "naddy" Weisgerber naddy@mips.inka.de
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
dtucker at dtucker
Jun 1, 2020, 3:48 PM
Post #3 of 12 (1040 views)
Permalink
On Tue, 2 Jun 2020 at 06:12, Christian Weisgerber <naddy@mips.inka.de> wrote
> On 2020-06-01, Ethan Rahn <ethan.rahn@gmail.com> wrote:
>
> > With the upcoming deprecation of ssh-rsa I was trying to see what keys my
> > version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not
> > actually list the suggested algorithms to transition to ( rsa-sha2-256 and
> > rsa-sha2-512 ) even though they are supported.
>
> "-Q key" are the supported key formats. For the signature algorithms,
> you want "-Q sig". This is documented in the man page.

In addition, from version 8.2 ssh -Q will also accept ssh_config
keywords and emit the formats or algorithms accepted by that keyword,
eg.

$ ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1g FIPS 21 Apr 2020

$ ssh -Q PubkeyAcceptedKeyTypes
[...]
ssh-rsa
rsa-sha2-256
rsa-sha2-512
[...]

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
ethan.rahn at gmail
Jun 1, 2020, 4:26 PM
Post #4 of 12 (1040 views)
Permalink
Thank you both for the clarifications. I notice that openssh 7.8 does not
support "ssh -Q sig" either.

I think it's great that later versions of openssh will support easier ways
of querying possible options to understand what is supported on the
compiled code.

Cheers,

Ethan

On Mon, Jun 1, 2020 at 3:49 PM Darren Tucker <dtucker@dtucker.net> wrote:

> On Tue, 2 Jun 2020 at 06:12, Christian Weisgerber <naddy@mips.inka.de>
> wrote
> > On 2020-06-01, Ethan Rahn <ethan.rahn@gmail.com> wrote:
> >
> > > With the upcoming deprecation of ssh-rsa I was trying to see what keys
> my
> > > version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key"
> does not
> > > actually list the suggested algorithms to transition to ( rsa-sha2-256
> and
> > > rsa-sha2-512 ) even though they are supported.
> >
> > "-Q key" are the supported key formats. For the signature algorithms,
> > you want "-Q sig". This is documented in the man page.
>
> In addition, from version 8.2 ssh -Q will also accept ssh_config
> keywords and emit the formats or algorithms accepted by that keyword,
> eg.
>
> $ ssh -V
> OpenSSH_8.2p1, OpenSSL 1.1.1g FIPS 21 Apr 2020
>
> $ ssh -Q PubkeyAcceptedKeyTypes
> [...]
> ssh-rsa
> rsa-sha2-256
> rsa-sha2-512
> [...]
>
> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
martin at oneiros
Jun 2, 2020, 12:52 AM
Post #5 of 12 (1040 views)
Permalink
Am Di., 2. Juni 2020 um 00:57 Uhr schrieb Darren Tucker <dtucker@dtucker.net>:
> In addition, from version 8.2 ssh -Q will also accept ssh_config
> keywords and emit the formats or algorithms accepted by that keyword,
> eg.

Nice. Shouldn't they also be listed in the output of -Q help?

Best
Martin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
daniele at retaggio
Jun 2, 2020, 1:12 AM
Post #6 of 12 (1040 views)
Permalink
Il 1 giugno 2020 22:04:43 CEST, Christian Weisgerber <naddy@mips.inka.de> ha scritto:
>"-Q key" are the supported key formats. For the signature algorithms,
>you want "-Q sig". This is documented in the man page.

Listed starting from which version?

Latest man referred online
https://man.openbsd.org/sshd_config
Doesn't show it, right?

Btw, you are referring to:
https://man.openbsd.org/sshd_config#CASignatureAlgorithms
Right?

Thanks,
Daniele
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
dtucker at dtucker
Jun 2, 2020, 1:39 AM
Post #7 of 12 (1040 views)
Permalink
On Tue, 2 Jun 2020 at 18:14, Daniele Palumbo <daniele@retaggio.net> wrote:
> Il 1 giugno 2020 22:04:43 CEST, Christian Weisgerber <naddy@mips.inka.de> ha scritto:
> >"-Q key" are the supported key formats. For the signature algorithms,
> >you want "-Q sig". This is documented in the man page.
>
> Listed starting from which version?

7.9.

> Latest man referred online
> https://man.openbsd.org/sshd_config
> Doesn't show it, right?

-Q is an option to ssh(1) so you want https://man.openbsd.org/ssh.1
(it's in 6.4 and newer).

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
dtucker at dtucker
Jun 2, 2020, 1:42 AM
Post #8 of 12 (1040 views)
Permalink
On Tue, 2 Jun 2020 at 17:55, Martin Schröder <martin@oneiros.de> wrote:
> Am Di., 2. Juni 2020 um 00:57 Uhr schrieb Darren Tucker <dtucker@dtucker.net>:
> > In addition, from version 8.2 ssh -Q will also accept ssh_config
> > keywords and emit the formats or algorithms accepted by that keyword,
> > eg.
>
> Nice. Shouldn't they also be listed in the output of -Q help?

I hadn't really thought of that, I just considered it a convenience
alias. It is documented in the man page (eg
https://man.openbsd.org/ssh.1):

"""
-Q query_option [...]. Alternatively, any keyword from ssh_config(5)
or sshd_config(5) that takes an algorithm list may be used as an alias
for the corresponding query_option.
"""

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
b.candler at pobox
Jun 2, 2020, 1:48 AM
Post #9 of 12 (1040 views)
Permalink
On 01/06/2020 23:48, Darren Tucker wrote:
> On Tue, 2 Jun 2020 at 06:12, Christian Weisgerber<naddy@mips.inka.de> wrote
>> On 2020-06-01, Ethan Rahn<ethan.rahn@gmail.com> wrote:
>>
>>> With the upcoming deprecation of ssh-rsa I was trying to see what keys my
>>> version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not
>>> actually list the suggested algorithms to transition to ( rsa-sha2-256 and
>>> rsa-sha2-512 ) even though they are supported.
>> "-Q key" are the supported key formats. For the signature algorithms,
>> you want "-Q sig". This is documented in the man page.
> In addition, from version 8.2 ssh -Q will also accept ssh_config
> keywords and emit the formats or algorithms accepted by that keyword,

There is also "-Q key-sig" in recent versions (not sure exactly how
recent, but 7.6 doesn't have it)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
dtucker at dtucker
Jun 2, 2020, 1:58 AM
Post #10 of 12 (1040 views)
Permalink
On Tue, 2 Jun 2020 at 18:48, Brian Candler <b.candler@pobox.com> wrote:
[about ssh -Q ssh_config_keyword]
> There is also "-Q key-sig" in recent versions (not sure exactly how recent, but 7.6 doesn't have it)

Added in the same commit (Feb this year), first released in 8.3:
https://github.com/openssh/openssh-portable/commit/d4d9e1d40514e2746f9e05335d646512ea1020c6

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
b.candler at pobox
Jun 2, 2020, 2:05 AM
Post #11 of 12 (1040 views)
Permalink
On 02/06/2020 09:58, Darren Tucker wrote:
> On Tue, 2 Jun 2020 at 18:48, Brian Candler<b.candler@pobox.com> wrote:
> [about ssh -Q ssh_config_keyword]
>> There is also "-Q key-sig" in recent versions (not sure exactly how recent, but 7.6 doesn't have it)
> Added in the same commit (Feb this year), first released in 8.3:
> https://github.com/openssh/openssh-portable/commit/d4d9e1d40514e2746f9e05335d646512ea1020c6

WFM in 8.2p1:

$ ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1g  21 Apr 2020
$ ssh -Q key-sig
ssh-ed25519
...

(macOS, homebrew)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: "ssh -Q key" does not list rsa-sha2 algorithms [ In reply to ]
dtucker at dtucker
Jun 2, 2020, 2:10 AM
Post #12 of 12 (1040 views)
Permalink
On Tue, 2 Jun 2020 at 19:05, Brian Candler <b.candler@pobox.com> wrote:
> On 02/06/2020 09:58, Darren Tucker wrote:
[...]
> Added in the same commit (Feb this year), first released in 8.3:
> https://github.com/openssh/openssh-portable/commit/d4d9e1d40514e2746f9e05335d646512ea1020c6
>
> WFM in 8.2p1:

Yeah, sorry I got that wrong. The commit was 2020-02-07 and the 8.2
release was 2020-02-14 so it just made the cut.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal