[Bug 2799] RSA Signatures using SHA2 provided by different ssh-agent are not properly verified
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Jul 4 23:57:28 AEST 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2799
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #11 from Damien Miller <djm at mindrot.org> ---
This was fixed by the following commits and will be in OpenSSH 7.8:
commit 314908f451e6b2d4ccf6212ad246fa4619c721d3
Author: djm at openbsd.org <djm at openbsd.org>
Date: Wed Jul 4 13:51:45 2018 +0000
upstream: deal with API rename: match_filter_list() =>
match_filter_blacklist()
OpenBSD-Regress-ID: 2da342be913efeb51806351af906fab01ba4367f
commit 89f54cdf6b9cf1cf5528fd33897f1443913ddfb4
Author: djm at openbsd.org <djm at openbsd.org>
Date: Wed Jul 4 13:51:12 2018 +0000
upstream: exercise new expansion behaviour of
PubkeyAcceptedKeyTypes and, by proxy, test kex_assemble_names()
ok markus@
OpenBSD-Regress-ID: 292978902e14d5729aa87e492dd166c842f72736
commit 312d2f2861a2598ed08587cb6c45c0e98a85408f
Author: djm at openbsd.org <djm at openbsd.org>
Date: Wed Jul 4 13:49:31 2018 +0000
upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms
by
wildcard.
Algorithm lists are now fully expanded when the server/client
configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
commit 303af5803bd74bf05d375c04e1a83b40c30b2be5
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Jul 3 11:43:49 2018 +0000
upstream: some magic for RSA-SHA2 checks
OpenBSD-Regress-ID: e5a9b11368ff6d86e7b25ad10ebe43359b471cd4
commit 7d68e262944c1fff1574600fe0e5e92ec8b398f5
Author: Damien Miller <djm at mindrot.org>
Date: Tue Jul 3 23:27:11 2018 +1000
depend
commit b4d4eda633af433d20232cbf7e855ceac8b83fe5
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Jul 3 13:20:25 2018 +0000
upstream: some finesse to fix RSA-SHA2 certificate authentication
for certs hosted in ssh-agent
OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
commit d78b75df4a57e0f92295f24298e5f2930e71c172
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Jul 3 13:07:58 2018 +0000
upstream: check correct variable; unbreak agent keys
OpenBSD-Commit-ID: c36981fdf1f3ce04966d3310826a3e1e6233d93e
commit 2f30300c5e15929d0e34013f38d73e857f445e12
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Jul 3 11:42:12 2018 +0000
upstream: crank version number to 7.8; needed for new compat flag
for prior version; part of RSA-SHA2 strictification, ok markus@
OpenBSD-Commit-ID: 84a11fc0efd2674c050712336b5093f5d408e32b
commit 4ba0d54794814ec0de1ec87987d0c3b89379b436
Author: djm at openbsd.org <djm at openbsd.org>
Date: Tue Jul 3 11:39:54 2018 +0000
upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature
to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.
In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.
Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature
algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.
Add new signature algorithms "rsa-sha2-256-cert-v01 at openssh.com"
and
"rsa-sha2-512-cert-v01 at openssh.com" to force use of RSA-SHA2
signatures
with certificate keys.
feedback and ok markus@
OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list