On Thu, 11 Oct 2018, Damien Miller wrote:
> On Thu, 11 Oct 2018, Adam Eijdenberg wrote:
>
> > Thanks for looking into. I wasn't able to get the patch to apply
> > cleanly to the portable source for whatever reason, so I manually made
> > the changes and got a little further. I now get past the "no mutual
> > signature algorithm" client message, and get an error on the server
> > side (OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017):
> >
> > userauth_pubkey: unsupported public key algorithm:
> > rsa-sha2-512-cert-v01@xxxxxxxxxxx [preauth]
>
> Could you sent me a debug trace from the client for this? We shouldn't
> send this algorithm name unless the server supports it.
Could you try this?
diff --git a/sshconnect2.c b/sshconnect2.c
index f104408..1d2906f 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
* newer (SHA2) algorithms.
*/
if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
- (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) {
+ (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
+ (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
/* Filter base key signature alg against our configuration */
return match_list(sshkey_ssh_name(key),
options.pubkey_key_types, NULL);
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
