no mutual signature algorithm with RSA user certs client 7.8, server 7.4
Damien Miller
djm at mindrot.org
Thu Oct 11 10:41:16 AEDT 2018
On Wed, 10 Oct 2018, Adam Eijdenberg wrote:
> Hi,
>
> One of our users who is running an OS (I think it's the latest beta
> macOS 10.14.1) with ssh version "OpenSSH_7.8p1, LibreSSL 2.7.3" is
> unable to use our user SSH RSA certificates to authenticate to our
> servers (which are running "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan
> 2017").
>
> We see this error on the client side:
>
> debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
> ...
> debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key
> debug1: send_pubkey_test: no mutual signature algorithm
That looks like a bug:
diff --git a/sshkey.c b/sshkey.c
index f7c09fb..e602987 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -109,9 +109,9 @@ static const struct keytype keytypes[] = {
{ "ssh-rsa-cert-v01 at openssh.com", "RSA-CERT", NULL,
KEY_RSA_CERT, 0, 1, 0 },
{ "rsa-sha2-256-cert-v01 at openssh.com", "RSA-CERT",
- "ssh-rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
+ "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
{ "rsa-sha2-512-cert-v01 at openssh.com", "RSA-CERT",
- "ssh-rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
+ "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
{ "ssh-dss-cert-v01 at openssh.com", "DSA-CERT", NULL,
KEY_DSA_CERT, 0, 1, 0 },
{ "ecdsa-sha2-nistp256-cert-v01 at openssh.com", "ECDSA-CERT", NULL,
More information about the openssh-unix-dev
mailing list