[Bug 2994] New: SSH certificate signing does not work with SHA256 hashing algorithm
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Apr 16 06:00:43 AEST 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=2994
Bug ID: 2994
Summary: SSH certificate signing does not work with SHA256
hashing algorithm
Product: Portable OpenSSH
Version: 7.9p1
Hardware: amd64
OS: Mac OS X
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: denisenkom at gmail.com
Repro instructions:
ssh-keygen -f server_ca
ssh-keygen -f userkey
ssh-keygen -s server_ca -I ident -t rsa-sha2-256 -n user userkey.pub &&
ssh-keygen -L -f userkey-cert.pub
Signed user key userkey-cert.pub: id "ident" serial 0 for user valid
forever
userkey-cert.pub:
Type: ssh-rsa-cert-v01 at openssh.com user certificate
Public key: RSA-CERT
SHA256:vGA3iSIWLZNdTjBoKzzAGH8daBV9Kvf9yZ3AhTyZ6IM
Signing CA: RSA
SHA256:TgQchZRAwiD8VRLdOmIDqoIyc6btwxIbPFMYI/JAUag
Key ID: "ident"
Serial: 0
Valid: forever
Principals:
user
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
As you can see certificate type is ssh-rsa-cert-v0, it should be
rsa-sha2-256-cert-v01 instead.
The problem seems to be with sshkey_ssh_name function, which takes
first matching key type (which is SHA1), if that is the right place
than this function should be changed to also take into account hash
algorithm.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list