[Bug 2994] New: SSH certificate signing does not work with SHA256 hashing algorithm

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Apr 16 06:00:43 AEST 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2994

            Bug ID: 2994
           Summary: SSH certificate signing does not work with SHA256
                    hashing algorithm
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: amd64
                OS: Mac OS X
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: denisenkom at gmail.com

Repro instructions:
ssh-keygen -f server_ca
ssh-keygen -f userkey
ssh-keygen -s server_ca -I ident -t rsa-sha2-256 -n user userkey.pub &&
ssh-keygen -L -f userkey-cert.pub
Signed user key userkey-cert.pub: id "ident" serial 0 for user valid
forever
userkey-cert.pub:
        Type: ssh-rsa-cert-v01 at openssh.com user certificate
        Public key: RSA-CERT
SHA256:vGA3iSIWLZNdTjBoKzzAGH8daBV9Kvf9yZ3AhTyZ6IM
        Signing CA: RSA
SHA256:TgQchZRAwiD8VRLdOmIDqoIyc6btwxIbPFMYI/JAUag
        Key ID: "ident"
        Serial: 0
        Valid: forever
        Principals: 
                user
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc

As you can see certificate type is ssh-rsa-cert-v0, it should be
rsa-sha2-256-cert-v01 instead.

The problem seems to be with sshkey_ssh_name function, which takes
first matching key type (which is SHA1), if that is the right place
than this function should be changed to also take into account hash
algorithm.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list