[Bug 3351] New: RSA SHA256 certificates no longer work
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Oct 7 06:29:19 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3351
Bug ID: 3351
Summary: RSA SHA256 certificates no longer work
Product: Portable OpenSSH
Version: 8.8p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: denisenkom at gmail.com
RSA SHA256 certificate authentication stopped working in 8.8.
It looks like RSA SHA256 certificates are identified as
ssh-rsa-cert-v01 at openssh.com instead of as
rsa-sha2-256-cert-v01 at openssh.com and current allow list does not have
ssh-rsa-cert-v01 at openssh.com on it, resulting in rejection of such
certificates by the client. The root cause seems to be in
misidentification of SHA256 certificates as sh-rsa-cert-v01 at openssh.com
certificates.
Workaround is to add "PubkeyAcceptedKeyTypes
+ssh-rsa-cert-v01 at openssh.com" into client ssh config, but this doesn't
seem right, since certificate is actually SHA256 certificate and should
be allowed by default.
Reproduction steps:
create CA key:
ssh-keygen -t rsa-sha2-256 -f ca_key
create user key:
ssh-keygen -t rsa-sha2-256 -f user_key
sign certificate using SHA256 signature:
ssh-keygen -s ca_key -I "test" -z "123" -V -1w:+54w5d -t rsa-sha2-256
-n user user_key.pub
copy ca_key.pub to server /etc/ssh/ca_key.pub
Add following line to /etc/sshd_config:
TrustedUserCAKeys /etc/ssh/ca_key.pub
restart sshd: sudo service sshd restart
add test user: sudo useradd user
Back on Client run:
ssh -i user_key user@<server-host>
This fails with: user@<server-host>: Permission denied
(publickey,gssapi-keyex,gssapi-with-mic).
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list