[Bug 2680] Regression in server-sig-algs offer in 7.4p1 (Deprecation of SHA1 is not being enforced)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Jul 21 14:47:46 AEST 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2680
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
(In reply to Jakub Jelen from comment #6)
> Although the patch looks reasonable and I considered it as a
> resolved issue, it is not as the current master (openssh 7.5) still
> reports:
>
> debug1: kex_input_ext_info:
> server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-
> dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null>
That's AFAIK what it's supposed to be, excepting the "null" at the end
of the list - where does that come from?
> The correct list:
>
> debug1: kex_input_ext_info:
> server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
Doesn't list non-RSA signature algorithms. Per
https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info-10 :
> This extension is sent by the server, and contains a list of public
> key algorithms that the server is able to process as part of a
> "publickey" authentication request.
That doesn't limit the contents to just new signature algorithms.
We don't currently provide a knob to disable SHA1 signtures, but feel
free to file another bug to request it and I'll try to get it done
before 7.6.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list