Question about host key algorithms
Luveh Keraph
1.41421 at gmail.com
Tue Mar 3 09:13:41 AEDT 2020
My point is that OpenSSH 7.4p1 already supported rsa-sha2-256 and
rsa-sha2-512, but that information does not seem to be anywhere in the
documentation and help utilities shipped with that version, as far as I can
tell.
On Mon, Mar 2, 2020 at 2:51 PM Mark D. Baushke <mdb at juniper.net> wrote:
> Luveh Keraph <1.41421 at gmail.com> writes:
>
> > $ ssh -Q HostKeyAlgorithms
> > Unsupported query "HostKeyAlgorithms"
> > $ ssh -V
> > OpenSSH_7.4p1, OpenSSL 1.0.2u 20 Dec 2019
>
> The option was only added to OpenSSH 8.2 and OpenSSH 8.2p1.
>
> Where these changes went into ssh.c:
>
> + else if (strcmp(optarg, "key-sig") == 0 ||
> + strcasecmp(optarg, "PubkeyAcceptedKeyTypes")
> == 0 ||
> + strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||
> + strcasecmp(optarg, "HostbasedKeyTypes") == 0 ||
> + strcasecmp(optarg,
> "HostbasedAcceptedKeyTypes") == 0)
> + cp = sshkey_alg_list(0, 0, 1, '\n');
>
> That said, after support for RFC 8308 and RFC 8332 has been added to
> any SSH, it will be able to handle rsa-sha2-256 (recommended) and maybe
> rsa-sha2-512 (optional).
>
> For OpenSSH, I think that goes back to OpenSSH 7.2p1 as it was NOT
> present in OpenSSH 7.1p2.
>
> -- Mark
>
> >
> > On Mon, Mar 2, 2020 at 2:24 PM Christian Hesse <list at eworm.de> wrote:
> >
> > > Luveh Keraph <1.41421 at gmail.com> on Mon, 2020/03/02 14:07:
> > > > When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get
> the
> > > > following output:
> > > >
> > > > ssh-ed25519
> > > > ssh-ed25519-cert-v01 at openssh.com
> > > > ssh-rsa
> > > > ssh-dss
> > > > ecdsa-sha2-nistp256
> > > > ecdsa-sha2-nistp384
> > > > ecdsa-sha2-nistp521
> > > > ssh-rsa-cert-v01 at openssh.com
> > > > ssh-dss-cert-v01 at openssh.com
> > > > ecdsa-sha2-nistp256-cert-v01 at openssh.com
> > > > ecdsa-sha2-nistp384-cert-v01 at openssh.com
> > > > ecdsa-sha2-nistp521-cert-v01 at openssh.com
> > > >
> > > > The thing is, one can invoke both client and server with -o
> > > > HostKeyAlgorithms=rsa-sha2-256, or -o
> HostKeyAlgorithms=rsa-sha2-512, and
> > > > everything's OK.
> > > >
> > > > Why is it that rsa-sha2-* are not displayed in the output above? In
> fact,
> > > > no option to -Q elicits them, and they are not mentioned in the
> OpenSSH
> > > > client and server man pages.
> > > >
> > > > Is this intentional?
> > >
> > > You should query for HostKeyAlgorithms
> > >
> > > ssh -Q HostKeyAlgorithms
> > >
> > > That list should contain rsa-sha2-256 and rsa-sha2-512.
> > > --
> > > main(a){char*c=/* Schoene Gruesse
> */"B?IJj;MEH"
> > > "CX:;",b;for(a/* Best regards my address:
> */=0;b=c[a++];)
> > > putchar(b-1/(/* Chris cc -ox -xc - && ./x
> > > */b/42*2-3)*42);}
> > >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> >
> https://urldefense.com/v3/__https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev__;!!NEt6yMaO-gk!VAgRtJkAdob2S7LMqJshBrggHloMnysvUViwgUe6rvEZbiSQEc5FVoMrJCjc7g$
>
More information about the openssh-unix-dev
mailing list