Yegor Ievlev <koops1997@xxxxxxxxx> writes: > e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512 > are fine, they use PSS. I suggest you re-read RFC 8332 section 5.3 as they do NOT use PSS, they use RSASSA-PKCS1-v1_5 signature padding. | 5.3. PKCS #1 v1.5 Padding and Signature Verification | | This document prescribes RSASSA-PKCS1-v1_5 signature padding because: | | (1) RSASSA-PSS is not universally available to all implementations; | (2) PKCS #1 v1.5 is widely supported in existing SSH | implementations; | (3) PKCS #1 v1.5 is not known to be insecure for use in this scheme. | | Implementers are advised that a signature with RSASSA-PKCS1-v1_5 | padding MUST NOT be verified by applying the RSA key to the | signature, and then parsing the output to extract the hash. This may | give an attacker opportunities to exploit flaws in the parsing and | vary the encoding. Verifiers MUST instead apply RSASSA-PKCS1-v1_5 | padding to the expected hash, then compare the encoded bytes with the | output of the RSA operation. -- Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
