"ssh -Q key" does not list rsa-sha2 algorithms

Ethan Rahn ethan.rahn at gmail.com
Tue Jun 2 04:11:43 AEST 2020

With the upcoming deprecation of ssh-rsa I was trying to see what keys my
version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not
actually list the suggested algorithms to transition to ( rsa-sha2-256 and
rsa-sha2-512 ) even though they are supported. Looking through the code, it
looks like an issue with the arguments passed to sshkey_alg_list in ssh.c
where it should be as below:

        case 'Q':
            cp = NULL;
            if (strcmp(optarg, "cipher") == 0)
                cp = cipher_alg_list('\n', 0);
            else if (strcmp(optarg, "cipher-auth") == 0)
                cp = cipher_alg_list('\n', 1);
            else if (strcmp(optarg, "mac") == 0)
                cp = mac_alg_list('\n');
            else if (strcmp(optarg, "kex") == 0)
                cp = kex_alg_list('\n');
            else if (strcmp(optarg, "key") == 0)
-                cp = sshkey_alg_list(0, 0, 0, '\n');
+               cp = sshkey_alg_list(0, 0, 1, '\n');

is that right? I validated that the same code exists in HEAD as of this
morning. If so it should be a pretty simple bugfix I would be happy to make
or to let someone else from the dev team make if they have a spare moment.

It's totally a minor quality-of-life issue for understanding algorithms
supported compared to the other threads I saw about corner cases where the
rsa-sha2 family of algos is not used during negotiation, but I can
understand how this happens. The sshkey_alg_list call has the first 2 flags
be excluding bools ( set it to true to limit things ) whereas the third one
is an inclusive bool ( set it to true to include things ).

To close, love openssh, love the work the team does, just doing some minor
nitpicking :-)



More information about the openssh-unix-dev mailing list