sshd_config: PubkeyAcceptedKeyTypes option does not seem to have any effect
Aham Brahmasmi
aham.brahmasmi at gmx.com
Sat Apr 27 06:09:49 AEST 2019
Namaste,
Setting PubkeyAcceptedKeyTypes in the sshd_config does not seem to have
any effect on the selection of server signature algorithms
(server-sig-algs). Further, the certificate variants of the algorithms
are not selected at all.
Steps:
ON SERVER
$ cat /etc/ssh/sshd_config
...
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519
...
$ doas sshd -t
$ doas sshd -T
...
pubkeyAcceptedKeyTypes ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519
...
$ doas rcctl reload sshd
ON CLIENT
$ ssh -v user at server
...
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,
rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,
ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
...
Layman analysis:
In function kex_send_ext_info in src/usr.bin/ssh/kex.c [1], there is a
comment which points to the need to filter the list of algorithms based
on the PubkeyAcceptedKeyTypes.
Further, the sshkey_alg_list function has the following signature [2]:
char *
sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
In function kex_send_ext_info, a 0 is passed for the "certs_only"
parameter in the call to sshkey_alg_list, which seems to imply that the
certificate algorithms are not to be returned by the sshkey_alg_list
function call.
/src/usr.bin/ssh/kex.c
...
static int
kex_send_ext_info(struct ssh *ssh)
{
int r;
char *algs;
if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
return SSH_ERR_ALLOC_FAIL;
/* XXX filter algs list by allowed pubkey/hostbased types */
if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
(r = sshpkt_put_u32(ssh, 1)) != 0 ||
(r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
(r = sshpkt_put_cstring(ssh, algs)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
goto out;
/* success */
r = 0;
out:
free(algs);
return r;
}
...
Dhanyavaad.
Regards,
ab
[1] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.150&content-type=text/x-cvsweb-markup
[2] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey.c?rev=1.73&content-type=text/x-cvsweb-markup
---------|---------|---------|---------|---------|---------|---------|--
More information about the openssh-unix-dev
mailing list