[PATCH 0/2] Specify signature algorithm during server hostkeys prove

[Damien Miller]

Thanks, these have all been committed and will be in openssh-10.0.

Thanks especially for writing the regression test.

-d

On Tue, 12 Nov 2024, maximejeanrey at gmail.com wrote:

> From: Maxime Rey <maximejeanrey at gmail.com>
> 
> Hello,
> 
> I've discovered an issue with sshd when it's configured to use the SSH agent
> alongside multiple host keys. Specifically, this problem happens during the
> hostkeys-prove-00 at openssh.com request, when the server attempts to
> demonstrate ownership of the host keys by calling the agent.
> 
> The issue occurs because, while processing the hostkeys-prove-00 at openssh.com
> request, sshd does not specify the signature algorithm in its call to
> the agent. As a result, when sshd attempts to verify the response, it
> encounters an error due to the missing algorithm specification.
> 
> To address this, I have made two contributions:
> 
>     1 - A modified hostkey-agent.sh regression test that reproduces the issue
>     under these conditions.
>     2 - A patch in serverloop.c to correct the error
>     by ensuring the algorithm is explicitly specified during the
>     hostkeys-prove-00 at openssh.com response.
> 
> Thank you for your time and feedback.
> 
> Best regards,
> Maxime
> 
> Maxime Rey (2):
>   Add test to cover multiple server hostkeys with agent
>   Specify signature algorithm during server hostkeys prove
> 
>  regress/hostkey-agent.sh | 31 +++++++++++++++++++++++++++++++
>  serverloop.c             |  3 +++
>  2 files changed, 34 insertions(+)
> 
> -- 
> 2.47.0
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>