no mutual signature algorithm with RSA user certs client 7.8, server 7.4
Adam Eijdenberg
adam at continusec.com
Thu Oct 11 11:44:22 AEDT 2018
On Thu, Oct 11, 2018 at 10:41 AM Damien Miller <djm at mindrot.org> wrote:
> On Wed, 10 Oct 2018, Adam Eijdenberg wrote:
> > We see this error on the client side:
> >
> > debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
> > ...
> > debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key
> > debug1: send_pubkey_test: no mutual signature algorithm
>
> That looks like a bug:
>
> diff --git a/sshkey.c b/sshkey.c
> index f7c09fb..e602987 100644
> --- a/sshkey.c
> +++ b/sshkey.c
> @@ -109,9 +109,9 @@ static const struct keytype keytypes[] = {
> { "ssh-rsa-cert-v01 at openssh.com", "RSA-CERT", NULL,
> KEY_RSA_CERT, 0, 1, 0 },
> { "rsa-sha2-256-cert-v01 at openssh.com", "RSA-CERT",
> - "ssh-rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
> + "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
> { "rsa-sha2-512-cert-v01 at openssh.com", "RSA-CERT",
> - "ssh-rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
> + "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
> { "ssh-dss-cert-v01 at openssh.com", "DSA-CERT", NULL,
> KEY_DSA_CERT, 0, 1, 0 },
> { "ecdsa-sha2-nistp256-cert-v01 at openssh.com", "ECDSA-CERT", NULL,
Thanks for looking into. I wasn't able to get the patch to apply
cleanly to the portable source for whatever reason, so I manually made
the changes and got a little further. I now get past the "no mutual
signature algorithm" client message, and get an error on the server
side (OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017):
userauth_pubkey: unsupported public key algorithm:
rsa-sha2-512-cert-v01 at openssh.com [preauth]
Along the way I noticed that there seems to be duplicated entries in
the keytypes[] array - is this intentional? ie the following 2
contiguous sections appear to be identical. I ended up changing both
on my client to remove the "ssh-" prefix:
https://github.com/openssh/openssh-portable/blob/V_7_8_P1/sshkey.c#L116-L123
https://github.com/openssh/openssh-portable/blob/V_7_8_P1/sshkey.c#L124-L131
More information about the openssh-unix-dev
mailing list