Bug 2650

Summary: UpdateHostKeys ignores RSA keys if HostKeyAlgorithms=rsa-sha2-256
Product: Portable OpenSSH Reporter: Mira Ressel <aranea>
Component: sshAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: trivial CC: djm, dtucker
Priority: P5    
Version: 7.4p1   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 2647    
Attachments:
Description Flags
Accept RSA keys if HostkeyAlgorithms contains rsa-sha2 key types dtucker: ok+

Description Mira Ressel 2016-12-24 08:58:39 AEDT 
The UpdateHostKeys feature is designed to only add host key fingerprints to known_hosts if the corresponding signature algorithm is allowed by the HostKeyAlgorithms setting (see client_input_hostkeys() in clientloop.c).

However, for RSA keys it only checks HostKeyAlgorithms for the presence of ssh-rsa. If HostKeyAlgorithms includes rsa-sha2-{256,512}, but not ssh-rsa, RSA keys are ignored even though they could be used for authentication.
Comment 1 Damien Miller 2017-03-10 15:32:03 AEDT 
Created attachment 2961 [details]
Accept RSA keys if HostkeyAlgorithms contains rsa-sha2 key types

This patch accepts RSA keys if the HostkeyAlgorithms contains rsa-sha2-* keytypes.
Comment 2 Damien Miller 2017-03-10 16:01:29 AEDT 
Patch applied. This will be in OpenSSH 7.5
Comment 3 Damien Miller 2018-04-06 12:26:49 AEST 
Close all resolved bugs after release of OpenSSH 7.7.