On Thu, 11 Oct 2018, Damien Miller wrote: > On Thu, 11 Oct 2018, Adam Eijdenberg wrote: > > > Thanks for looking into. I wasn't able to get the patch to apply > > cleanly to the portable source for whatever reason, so I manually made > > the changes and got a little further. I now get past the "no mutual > > signature algorithm" client message, and get an error on the server > > side (OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017): > > > > userauth_pubkey: unsupported public key algorithm: > > rsa-sha2-512-cert-v01@xxxxxxxxxxx [preauth] > > Could you sent me a debug trace from the client for this? We shouldn't > send this algorithm name unless the server supports it. Could you try this? diff --git a/sshconnect2.c b/sshconnect2.c index f104408..1d2906f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) * newer (SHA2) algorithms. */ if (ssh == NULL || ssh->kex->server_sig_algs == NULL || - (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) { + (key->type != KEY_RSA && key->type != KEY_RSA_CERT) || + (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) { /* Filter base key signature alg against our configuration */ return match_list(sshkey_ssh_name(key), options.pubkey_key_types, NULL); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev