sshd_config: PubkeyAcceptedKeyTypes option does not seem to have any effect

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Namaste,

Setting PubkeyAcceptedKeyTypes in the sshd_config does not seem to have
any effect on the selection of server signature algorithms
(server-sig-algs). Further, the certificate variants of the algorithms
are not selected at all.

Steps:
ON SERVER
$ cat /etc/ssh/sshd_config
...
PubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-ed25519
...
$ doas sshd -t
$ doas sshd -T
...
pubkeyAcceptedKeyTypes ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-ed25519
...
$ doas rcctl reload sshd

ON CLIENT
$ ssh -v user@server
...
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,
rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,
ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
...

Layman analysis:
In function kex_send_ext_info in src/usr.bin/ssh/kex.c [1], there is a
comment which points to the need to filter the list of algorithms based
on the PubkeyAcceptedKeyTypes.

Further, the sshkey_alg_list function has the following signature [2]:
char *
sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)

In function kex_send_ext_info, a 0 is passed for the "certs_only"
parameter in the call to sshkey_alg_list, which seems to imply that the
certificate algorithms are not to be returned by the sshkey_alg_list
function call.

/src/usr.bin/ssh/kex.c
...
static int
kex_send_ext_info(struct ssh *ssh)
{
        int r;
        char *algs;

        if ((algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
                return SSH_ERR_ALLOC_FAIL;
        /* XXX filter algs list by allowed pubkey/hostbased types */
        if ((r = sshpkt_start(ssh, SSH2_MSG_EXT_INFO)) != 0 ||
            (r = sshpkt_put_u32(ssh, 1)) != 0 ||
            (r = sshpkt_put_cstring(ssh, "server-sig-algs")) != 0 ||
            (r = sshpkt_put_cstring(ssh, algs)) != 0 ||
            (r = sshpkt_send(ssh)) != 0)
                goto out;
        /* success */
        r = 0;
 out:
        free(algs);
        return r;
}
...

Dhanyavaad.

Regards,
ab
[1] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c?rev=1.150&content-type=text/x-cvsweb-markup
[2] - https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshkey.c?rev=1.73&content-type=text/x-cvsweb-markup
---------|---------|---------|---------|---------|---------|---------|--
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux