On Wed, 10 Oct 2018, Adam Eijdenberg wrote: > Hi, > > One of our users who is running an OS (I think it's the latest beta > macOS 10.14.1) with ssh version "OpenSSH_7.8p1, LibreSSL 2.7.3" is > unable to use our user SSH RSA certificates to authenticate to our > servers (which are running "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan > 2017"). > > We see this error on the client side: > > debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> > ... > debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key > debug1: send_pubkey_test: no mutual signature algorithm That looks like a bug: diff --git a/sshkey.c b/sshkey.c index f7c09fb..e602987 100644 --- a/sshkey.c +++ b/sshkey.c @@ -109,9 +109,9 @@ static const struct keytype keytypes[] = { { "ssh-rsa-cert-v01@xxxxxxxxxxx", "RSA-CERT", NULL, KEY_RSA_CERT, 0, 1, 0 }, { "rsa-sha2-256-cert-v01@xxxxxxxxxxx", "RSA-CERT", - "ssh-rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, + "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, { "rsa-sha2-512-cert-v01@xxxxxxxxxxx", "RSA-CERT", - "ssh-rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, + "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, { "ssh-dss-cert-v01@xxxxxxxxxxx", "DSA-CERT", NULL, KEY_DSA_CERT, 0, 1, 0 }, { "ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx", "ECDSA-CERT", NULL, _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev