[Bug 3577] New: CASignatureAlgorithms supports -cert alogrithms
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Jun 6 02:36:11 AEST 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3577
Bug ID: 3577
Summary: CASignatureAlgorithms supports -cert alogrithms
Product: Portable OpenSSH
Version: 9.3p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: xspielinbox+mindrot at protonmail.com
Hello,
The CASignatureAlgorithms directive in ssh and sshd supports the
following algorithms:
ssh-ed25519
ssh-ed25519-cert-v01 at openssh.com
sk-ssh-ed25519 at openssh.com
sk-ssh-ed25519-cert-v01 at openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256 at openssh.com
webauthn-sk-ecdsa-sha2-nistp256 at openssh.com
ssh-rsa-cert-v01 at openssh.com
rsa-sha2-256-cert-v01 at openssh.com
rsa-sha2-512-cert-v01 at openssh.com
ssh-dss-cert-v01 at openssh.com
ecdsa-sha2-nistp256-cert-v01 at openssh.com
ecdsa-sha2-nistp384-cert-v01 at openssh.com
ecdsa-sha2-nistp521-cert-v01 at openssh.com
sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
Why are the *-cert-v01 at openssh.com algorithms allowed here? This seems
wrong to me as per documentation intermediate certificates aren't
supported and I don't see how this would work then.
They also aren't enabled by default.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list