no mutual signature algorithm with RSA user certs client 7.8, server 7.4

Damien Miller djm at mindrot.org
Thu Oct 11 15:06:53 AEDT 2018


On Thu, 11 Oct 2018, Adam Eijdenberg wrote:

> On Thu, Oct 11, 2018 at 12:13 PM Damien Miller <djm at mindrot.org> wrote:
> > Could you try this?
> >
> > diff --git a/sshconnect2.c b/sshconnect2.c
> > index f104408..1d2906f 100644
> > --- a/sshconnect2.c
> > +++ b/sshconnect2.c
> > @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
> >          * newer (SHA2) algorithms.
> >          */
> >         if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
> > -           (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) {
> > +           (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
> > +           (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
> >                 /* Filter base key signature alg against our configuration */
> >                 return match_list(sshkey_ssh_name(key),
> >                     options.pubkey_key_types, NULL);
> 
> That fixes it for me, thank you. Would you still like a copy of the
> previous failing client trace?

That fix is committed and will be in the OpenSSH 7.9 release.

Thanks for catching those two bugs in time!

-d


More information about the openssh-unix-dev mailing list