[Bug 2746] RFE: Allow to disable SHA1 signatures for RSA

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Nov 13 00:54:50 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2746

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #3 from Jakub Jelen <jjelen at redhat.com> ---
I do not think this has been completely resolved with OpenSSH 7.8 nor
7.9. Currently, specifying
PubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-512 in sshd_config fails
the RSA authentication (actually already the key check without
signature) without any helpful error message:

debug1: userauth-request for user root service ssh-connection method
publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: userauth_pubkey: test pkalg rsa-sha2-256 pkblob RSA
SHA256:33ZvPdZiDGSXPKTytIAkeLQqsfe9pWbcKjo+73WIQMY [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x560e771b2c00
debug3: mm_answer_keyallowed: publickey authentication test: RSA key is
not allowed
Failed publickey for root from ::1 port 52866 ssh2: RSA
SHA256:33ZvPdZiDGSXPKTytIAkeLQqsfe9pWbcKjo+73WIQMY
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-256 [preauth]

This is because the mm_answer_keyallowed() still checks against the raw
list provided in the options.pubkey_key_types:

                         if (match_pattern_list(sshkey_ssh_name(key),
                             options.pubkey_key_types, 0) != 1)

rather than using something similar that is correctly used in the
client (sshconnnec2.c) in 4ba0d5479 (key_type_allowed_by_config),
taking the SHA2 extension into the account.

I am sorry that I did not manage to test that earlier.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list