[Bug 3583] New: server-sig-algs reports incorrect list of algorithms

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jun 22 23:03:15 AEST 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3583

            Bug ID: 3583
           Summary: server-sig-algs reports incorrect list of algorithms
           Product: Portable OpenSSH
           Version: 8.7p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: aivars at gmail.com

OpenSSH server (OpenSSH_8.7p1, OpenSSL 3.0.8 7 Feb 2023) in Amazon
Linux (6.1.29-50.88.amzn2023.aarch64) reports more PK algorithms than
are actually allowed.

Modified server configuration (just one PK algorithm allowed):
PubkeyAcceptedAlgorithms rsa-sha2-256

Obtaining debug info:
ssh -vvv -i mykey.pem -o PubkeyAcceptedKeyTypes=rsa-sha2-512
ec2-user@<...IP...>

Debug output:
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25519 at openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256 at openssh.com,webauthn-sk-ecdsa-sha2-nistp256 at openssh.com>

Additional notes:
Note that Putty is unable to connect with the default connection
options if server is configured like this, because it will always
attempt to use rsa-sha2-512, I'm guessing due to it being sent in
server-sig-algs list.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list