Bugzilla – Attachment 3476 Details for
Bug 3213
openssh 8.3p1 will not use any type of RSA key for legacy servers if ssh-rsa is not in PubkeyAcceptedKeyTypes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Use RSA keys for OpenSSH 7.4 servers, if local policy permits
openssh-bug-sigtype-rsa-74-20210303.patch (text/plain), 2.22 KB, created by
Gordon Messmer
on 2021-03-04 12:49:03 AEDT
(
hide
)
Description:
Use RSA keys for OpenSSH 7.4 servers, if local policy permits
Filename:
MIME Type:
Creator:
Gordon Messmer
Created:
2021-03-04 12:49:03 AEDT
Size:
2.22 KB
patch
obsolete
>diff --git a/compat.c b/compat.c >index 69befa96..1c63361a 100644 >--- a/compat.c >+++ b/compat.c >@@ -63,11 +63,12 @@ compat_banner(struct ssh *ssh, const char *version) > { "OpenSSH_6.5*," > "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD| > SSH_BUG_SIGTYPE}, >+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE| >+ SSH_BUG_SIGTYPE74}, > { "OpenSSH_7.0*," > "OpenSSH_7.1*," > "OpenSSH_7.2*," > "OpenSSH_7.3*," >- "OpenSSH_7.4*," > "OpenSSH_7.5*," > "OpenSSH_7.6*," > "OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE}, >diff --git a/compat.h b/compat.h >index c197fafc..699ee3c6 100644 >--- a/compat.h >+++ b/compat.h >@@ -29,7 +29,7 @@ > > #define SSH_BUG_UTF8TTYMODE 0x00000001 > #define SSH_BUG_SIGTYPE 0x00000002 >-/* #define unused 0x00000004 */ >+#define SSH_BUG_SIGTYPE74 0x00000004 > /* #define unused 0x00000008 */ > #define SSH_OLD_SESSIONID 0x00000010 > /* #define unused 0x00000020 */ >diff --git a/sshconnect2.c b/sshconnect2.c >index 059c9480..13eb8de1 100644 >--- a/sshconnect2.c >+++ b/sshconnect2.c >@@ -1164,6 +1164,33 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, struct ssh *ssh) > return r; > } > >+/* >+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its >+ * support. For that release, check the local policy against the >+ * SHA2 signature types. >+ */ >+static char * >+key_sig_algorithm_compat(struct ssh *ssh, const struct sshkey *key) >+{ >+ char *allowed, *oallowed, *cp, *tmp, *alg = NULL; >+ if ((key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) { >+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos); >+ while ((cp = strsep(&allowed, ",")) != NULL) { >+ if (sshkey_type_from_name(cp) != key->type) >+ continue; >+ tmp = match_list(sshkey_sigalg_by_name(cp), >+ "rsa-sha2-256,rsa-sha2-512", NULL); >+ if (tmp != NULL) >+ alg = xstrdup(cp); >+ free(tmp); >+ if (alg != NULL) >+ break; >+ } >+ free(oallowed); >+ } >+ return alg; >+} >+ > /* > * Select an algorithm for publickey signatures. > * Returns algorithm (caller must free) or NULL if no mutual algorithm found. >@@ -1208,6 +1235,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key) > break; > } > free(oallowed); >+ if (alg == NULL) >+ alg = key_sig_algorithm_compat(ssh, key); > return alg; > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3476">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 3213
:
3446
|
3448
|
3476
|
3527