no mutual signature algorithm with RSA user certs client 7.8, server 7.4
Damien Miller
djm at mindrot.org
Thu Oct 11 15:06:53 AEDT 2018
On Thu, 11 Oct 2018, Adam Eijdenberg wrote:
> On Thu, Oct 11, 2018 at 12:13 PM Damien Miller <djm at mindrot.org> wrote:
> > Could you try this?
> >
> > diff --git a/sshconnect2.c b/sshconnect2.c
> > index f104408..1d2906f 100644
> > --- a/sshconnect2.c
> > +++ b/sshconnect2.c
> > @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
> > * newer (SHA2) algorithms.
> > */
> > if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
> > - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) {
> > + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
> > + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
> > /* Filter base key signature alg against our configuration */
> > return match_list(sshkey_ssh_name(key),
> > options.pubkey_key_types, NULL);
>
> That fixes it for me, thank you. Would you still like a copy of the
> previous failing client trace?
That fix is committed and will be in the OpenSSH 7.9 release.
Thanks for catching those two bugs in time!
-d
More information about the openssh-unix-dev
mailing list