Re: Question about host key algorithms

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Luveh Keraph <1.41421@xxxxxxxxx> writes:

> $ ssh -Q HostKeyAlgorithms
> Unsupported query "HostKeyAlgorithms"
> $ ssh -V
> OpenSSH_7.4p1, OpenSSL 1.0.2u  20 Dec 2019

The option was only added to OpenSSH 8.2 and OpenSSH 8.2p1.

Where these changes went into ssh.c:

+                       else if (strcmp(optarg, "key-sig") == 0 ||
+                           strcasecmp(optarg, "PubkeyAcceptedKeyTypes") == 0 ||
+                           strcasecmp(optarg, "HostKeyAlgorithms") == 0 ||
+                           strcasecmp(optarg, "HostbasedKeyTypes") == 0 ||
+                           strcasecmp(optarg, "HostbasedAcceptedKeyTypes") == 0)
+                               cp = sshkey_alg_list(0, 0, 1, '\n');

That said, after support for RFC 8308 and RFC 8332 has been added to
any SSH, it will be able to handle rsa-sha2-256 (recommended) and maybe
rsa-sha2-512 (optional).

For OpenSSH, I think that goes back to OpenSSH 7.2p1 as it was NOT
present in OpenSSH 7.1p2.

	-- Mark

> 
> On Mon, Mar 2, 2020 at 2:24 PM Christian Hesse <list@xxxxxxxx> wrote:
> 
> > Luveh Keraph <1.41421@xxxxxxxxx> on Mon, 2020/03/02 14:07:
> > > When I do ssh -Q key, where ssh is the OpenSSH 7.4p1 client, I get the
> > > following output:
> > >
> > > ssh-ed25519
> > > ssh-ed25519-cert-v01@xxxxxxxxxxx
> > > ssh-rsa
> > > ssh-dss
> > > ecdsa-sha2-nistp256
> > > ecdsa-sha2-nistp384
> > > ecdsa-sha2-nistp521
> > > ssh-rsa-cert-v01@xxxxxxxxxxx
> > > ssh-dss-cert-v01@xxxxxxxxxxx
> > > ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx
> > > ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx
> > > ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx
> > >
> > > The thing is,  one can invoke both client and server with -o
> > > HostKeyAlgorithms=rsa-sha2-256, or -o HostKeyAlgorithms=rsa-sha2-512, and
> > > everything's OK.
> > >
> > > Why is it that rsa-sha2-* are not displayed in the output above? In fact,
> > > no option to -Q elicits them, and they are not mentioned in the OpenSSH
> > > client and server man pages.
> > >
> > > Is this intentional?
> >
> > You should query for HostKeyAlgorithms
> >
> > ssh -Q HostKeyAlgorithms
> >
> > That list should contain rsa-sha2-256 and rsa-sha2-512.
> > --
> > main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
> > "CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
> > putchar(b-1/(/*    Chris            cc -ox -xc - && ./x
> > */b/42*2-3)*42);}
> >
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://urldefense.com/v3/__https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev__;!!NEt6yMaO-gk!VAgRtJkAdob2S7LMqJshBrggHloMnysvUViwgUe6rvEZbiSQEc5FVoMrJCjc7g$ 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux