Is it possible to disable (SHA2 signature) extension?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello all,
the extension negotiation draft (not only) for SHA2 signature
algorithms is certainly a good thing, but the result of this
negotiation affects also the behavior of the ssh-agent protocol, where
is no negotitation of the extension and when it is negotiated between
server and client, it is used unconditionally.

To get to the core, the problem is with third-party tools talking ssh-
agent protocol, which do not implement this extension and ignores
additional flags (which is certainly a bug in the agent, but the ssh-
agent draft does not say what to do with unknown flags -- shouldn't the
draft handle this case explicitly?). We already  discussed similar
issue with host keys, but a transparent fallback to non-sha2 algorithms
does not look like a good idea from security point of view.

The only sensible solution around this seems implementing some
configuration that would (dis)allow a selection of negotiated
extensions (in client or/and server) or just a switch to enable/disable
it altogether for a compatibility with older systems.

What do you think? Would it be useful?

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux