Re: no mutual signature algorithm with RSA user certs client 7.8, server 7.4

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, 11 Oct 2018, Damien Miller wrote:

> On Thu, 11 Oct 2018, Adam Eijdenberg wrote:
> 
> > Thanks for looking into. I wasn't able to get the patch to apply
> > cleanly to the portable source for whatever reason, so I manually made
> > the changes and got a little further. I now get past the "no mutual
> > signature algorithm" client message, and get an error on the server
> > side (OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017):
> > 
> > userauth_pubkey: unsupported public key algorithm:
> > rsa-sha2-512-cert-v01@xxxxxxxxxxx [preauth]
> 
> Could you sent me a debug trace from the client for this? We shouldn't
> send this algorithm name unless the server supports it.

Could you try this?

diff --git a/sshconnect2.c b/sshconnect2.c
index f104408..1d2906f 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
 	 * newer (SHA2) algorithms.
 	 */
 	if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
-	    (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) {
+	    (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
+	    (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
 		/* Filter base key signature alg against our configuration */
 		return match_list(sshkey_ssh_name(key),
 		    options.pubkey_key_types, NULL);
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux