[Bug 3577] New: CASignatureAlgorithms supports -cert alogrithms

Tue Jun 6 02:36:11 AEST 2023

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

            Bug ID: 3577
           Summary: CASignatureAlgorithms supports -cert alogrithms
           Product: Portable OpenSSH
           Version: 9.3p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: xspielinbox+mindrot at protonmail.com

Hello,

The CASignatureAlgorithms directive in ssh and sshd supports the
following algorithms:
ssh-ed25519
ssh-ed25519-cert-v01 at openssh.com
sk-ssh-ed25519 at openssh.com
sk-ssh-ed25519-cert-v01 at openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256 at openssh.com
webauthn-sk-ecdsa-sha2-nistp256 at openssh.com
ssh-rsa-cert-v01 at openssh.com
rsa-sha2-256-cert-v01 at openssh.com
rsa-sha2-512-cert-v01 at openssh.com
ssh-dss-cert-v01 at openssh.com
ecdsa-sha2-nistp256-cert-v01 at openssh.com
ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com
sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com

Why are the *-cert-v01 at openssh.com algorithms allowed here? This seems
wrong to me as per documentation intermediate certificates aren't
supported and I don't see how this would work then.
They also aren't enabled by default.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.