Bug 2547

Summary: ssh-ext-info: missing server signature algorithms
Product: Portable OpenSSH Reporter: Mat <mb>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED MOVED    
Severity: normal CC: djm, mb, nunojpg
Priority: P5    
Version: 7.2p1   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 2594    

Description Mat 2016-03-03 09:54:57 AEDT 
In the "server-sig-algs" extension the server sends to the client, sshd only includes the rsa signature algorithms [1]:
    (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 ||

However, it should include all signature algorithms (including ecdsa-sha2-*, ssh-ed25519, etc) it supports.

This is what the RFC [2] says:
    string      "server-sig-algs"

  This extension is sent by the server only, and contains a list of
  signature algorithms that the server is able to process as part of a
  "publickey" request.

You may have incorrectly assumed that there is only 1 signature algorithm for the omitted public key algorithms. For example for ECDSA private keys there are at least two known signature algorithms:
ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp256 (from rfc6187)

References:
[1] https://github.com/openssh/openssh-portable/blob/master/kex.c#L344
[2] https://tools.ietf.org/html/draft-ssh-ext-info-05#section-3.1
Comment 1 Mat 2016-03-03 10:43:04 AEDT 
Correction:
The following example is incorrect:
"You may have incorrectly assumed that there is only 1 signature algorithm for the omitted public key algorithms. For example for ECDSA private keys there are at least two known signature algorithms:
ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp256 (from rfc6187)"

Both public key formats use the same signature algorithm.
Comment 2 Damien Miller 2016-09-13 09:31:55 AEST 
Thanks - I've committed a fix for this.
Comment 3 Nuno Goncalves 2017-02-07 00:41:30 AEDT 
I believe the commit to fix this have created a regression:

OpenSSH 7.3p1:
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

OpenSSH 7.4p1:
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

This former two algs, which worked, are now no longer list as supported and the client ends up using ssh-rsa.

I've tried to hardcode at least rsa-sha2-256 back again and it works on the client.
Comment 4 Nuno Goncalves 2017-02-19 03:15:19 AEDT 
Filled as new bug under #2680.
Comment 5 Damien Miller 2018-04-06 12:26:32 AEST 
Close all resolved bugs after release of OpenSSH 7.7.