[Bug 3213] New: openssh 8.3p1 will not use any type of RSA key for legacy servers if ssh-rsa is not in PubkeyAcceptedKeyTypes
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Sep 27 01:14:12 AEST 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3213
Bug ID: 3213
Summary: openssh 8.3p1 will not use any type of RSA key for
legacy servers if ssh-rsa is not in
PubkeyAcceptedKeyTypes
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: gordon.messmer at gmail.com
Created attachment 3446
--> https://bugzilla.mindrot.org/attachment.cgi?id=3446&action=edit
return correct key type name when connected to openssh server < 7.8
I could be wrong about all of the following, so let me just prefix
everything with, "To the best of my understanding:"
In OpenSSH 7.8, the semantics of PubkeyAcceptedKeyTypes was changed,
and older servers were marked with SSH_BUG_SIGTYPE. For older servers,
ssh->kex->server_sig_algs appears to store a list of key types the
server supports, while on newer servers it stores a list of RSA
signature types that are supported.
sshconnect2.c:key_sig_algorithm will return a copy of the name of an
SSH key's type. For everything except RSA keys, it will filter the
key's type against options.pubkey_key_types, but that doesn't make much
sense, because the key has already been verified to be a permitted type
by sshconnect2.c:pubkey_prepare. (I haven't gone into the history, but
I'm guessing that this code used to filter against
ssh->kex->server_sig_algs instead.)
In other words, the private key type has already been checked against
the local security policy before key_sig_algorithm is called, so
key_sig_algorithm shouldn't be acting as a filter. It should be
finding the correct name to refer to the client's key type.
I'd suggest dropping the call to match_list, and instead simply return
sshkey_ssh_name(key) for all non-RSA key types, and for RSA key types
when connecting to a legacy server with SSH_BUG_SIGTYPE set.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list