With the upcoming deprecation of ssh-rsa I was trying to see what keys my
version of OpenSSH ( 7.8p1 ) supports. I noticed that "ssh -Q key" does not
actually list the suggested algorithms to transition to ( rsa-sha2-256 and
rsa-sha2-512 ) even though they are supported. Looking through the code, it
looks like an issue with the arguments passed to sshkey_alg_list in ssh.c
where it should be as below:
case 'Q':
cp = NULL;
if (strcmp(optarg, "cipher") == 0)
cp = cipher_alg_list('\n', 0);
else if (strcmp(optarg, "cipher-auth") == 0)
cp = cipher_alg_list('\n', 1);
else if (strcmp(optarg, "mac") == 0)
cp = mac_alg_list('\n');
else if (strcmp(optarg, "kex") == 0)
cp = kex_alg_list('\n');
else if (strcmp(optarg, "key") == 0)
- cp = sshkey_alg_list(0, 0, 0, '\n');
+ cp = sshkey_alg_list(0, 0, 1, '\n');
is that right? I validated that the same code exists in HEAD as of this
morning. If so it should be a pretty simple bugfix I would be happy to make
or to let someone else from the dev team make if they have a spare moment.
It's totally a minor quality-of-life issue for understanding algorithms
supported compared to the other threads I saw about corner cases where the
rsa-sha2 family of algos is not used during negotiation, but I can
understand how this happens. The sshkey_alg_list call has the first 2 flags
be excluding bools ( set it to true to limit things ) whereas the third one
is an inclusive bool ( set it to true to include things ).
To close, love openssh, love the work the team does, just doing some minor
nitpicking :-)
Cheers,
Ethan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
