On Fri, 23 Mar 2018, Peter Moody wrote: > > Live testing on suitable non-production systems is also appreciated. > > Please send reports of success or failure to > > openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported > > directly to openssh@xxxxxxxxxxx. > > I've got one weird case. > > doing pubkey auth with certificates, if I have both the key and cert > loaded in my agent, I see: > > $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l > 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519) > 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT) > > $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host > > pmoody@host:~$ > > but if I only have the certificate, I see: > > $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l > 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT) > > $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host > warning: agent returned different signature type ssh-ed25519 (expected > ssh-ed25519-cert-v01@xxxxxxxxxxx) Looks like a false positive from the warning code I added recently. Please try this: diff --git a/sshconnect2.c b/sshconnect2.c index bf0b729..49eb205 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1006,6 +1006,8 @@ check_sigtype(const struct sshkey *key, const u_char *sig, size_t len) char *sigtype = NULL; const char *alg = key_sign_encode(key); + if (sshkey_is_cert(key)) + return 0; if ((r = sshkey_sigtype(sig, len, &sigtype)) != 0) return r; if (strcmp(sigtype, alg) != 0) { _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev