Hello, as a follow-up on my mail some time last month where we were facing weird issues when authenticating to new OpenSSH servers, I went down the road to investigate what is really going on there and I found out that even though all the logs in client and server happily say that the SHA2 extension is used, under the hood there is just SHA1. This is because the different agents are ignoring the flags passed with the signature request. This can be simply reproduced with the following patch, which dumps the actual hash algorithm used in the signature itself: https://gist.github.com/Jakuje/b1f7161d89472c4b6a3e2024675b0b46 The issue can be simply reproduced by running ssh-agent from gnome- keyring (pageant or others should do the same) and connect to the server with the above patch. In the server log, we can notice the following messages (where hash_alg=1 is SSH_DIGEST_SHA1): debug1: Verifying signature with ktype=ssh-rsa and hash_alg=1 debug2: userauth_pubkey: authenticated 1 pkalg rsa-sha2-512 So even though all the current messages say that sha2 is used, something else is going on here. Nor client nor server is verifying that the signature itself is done using the requested algorithm. So how to get around that? The most robust solution would be to use ssh-agent extension protocol to negotiate these extensions also with the agent. The downside of this is that current implementations do not know the extension messages and fail if I remember well the gnome-keyring behavior. This would allow us to know what signature will be used in advance. Other thing should be checking what signature we got from agent and if it is not the one we requested, downgrade the algorithm in the authentication packet to reflect the reality (or fail some way?). Similar thing should be done also on the server, where the verification also does not compare authentication header algorithm and the algorithm in the signature itself. Is it intentional or did I miss something in my write-up? This can be considered as a security issue, because all the logs say that stronger algorithm is used even if it is not true. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev