[PATCH] Specify signature algorithm during server hostkeys prove
Damien Miller
djm at mindrot.org
Tue Oct 29 10:58:53 AEDT 2024
On Mon, 28 Oct 2024, Maxime Rey wrote:
>
> Hello,
>
> I've found that when using the ssh agent and sshd together, there is an issue
> when using multiple host keys. Specifically, after the key exchange phase,
> when a client requests proof of ownership for the host keys via the
> "hostkeys-prove-00 at openssh.com" request, the server prepares the response
> without specifying the signature algoorithm in case of non-RSA keys.
>
> This leads to "SSH_ERR_INVALID_ARGUMENT" when verifying the signature in :
>
> openssh-portable/authfd.c line
> if ((r = sshkey_check_sigtype(sig, len, alg)) != 0)
>
> To resolve this, I explicitly sets the signature
> algorithm, ensuring proper verification for all key types.
>
> I would appreciate any feedback or suggestions regarding this issue.
Hi,
I'm having trouble replicating this failure by making changes to the
existing hostkey-agent.sh regress test.
Can you share a bit more about how it happens? Debug traces from the
client and server would be very helpful.
Thanks,
Damien Miller
More information about the openssh-unix-dev
mailing list