OpenSSH forcing the signature to SHA1.

Renjith D renjithd at gmail.com
Mon Jun 10 04:24:05 AEST 2019


Hello folks,

I am new here, so  please be gentle :), and any help will be appreciated.

Essentially what I am trying to do is, to use Jsch ( the java
implementation of SSH client). it has support for Public key based
authentication.
Since there is a requirement for FIPS enablement,  we are trying to use the
Algorithm SHA256withRSA, instead of SHA1withRSA.
When the code tries to verify the signature of the public key of the server
using this algorithm, it is throwing an exception
ObjectIdentifier mismatch: 1.3.14.3.2.26. (which is the OID of SHA1). So my
understanding is the server is forcing the signature to be SHA1.
I did try to use the parameter
PubkeyAcceptedKeyTypes ssh-ed25519*,ecdsa-sha2*,rsa-sha2-*,ssh-rsa
But that does not help.

Also with the same SHA256withRSA algorithm when the code sign the data and
send it to server,  it results in signature unverified error.
debug3: mm_answer_keyverify: publickey 0x56471045da10 signature unverified

Things work fine for ECDSA keypair with sha256. I am able to successfully
connect using this keypair.

My understanding was, as of 7.2 the support for SHA256 with RSA was there (
https://www.openssh.com/txt/release-7.2)

Are there any options which I am not aware of?
At the moment I am using openssh-7.9p1-233.1.x86_64 on SLES12.

Thanks a lot for the help.

Regards
Renjith


More information about the openssh-unix-dev mailing list