Bug 2867

Summary: No HostKeyAlgorithm is offered by sshd if "rsa-sha2-512" algorithm is forced.
Product: Portable OpenSSH Reporter: Xavier Garriga <xavier.garriga>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: djm
Priority: P5    
Version: 7.7p1   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2852    

Description Xavier Garriga 2018-05-17 01:47:33 AEST 
If 'rsa-sha2-512' Host Key Algorithm is the only algorithm in sshd_coonfig or sshd is forced to start using only 'rsa-sha2-512' as Host Key Algorithm no algorithm is offered to client during negotiation.

Start server with:
sshd -oHostKeyAlgorithms="rsa-sha2-512"

When client tries to connect no HostKeyAlgorithm is offered.

debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: 
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr

and connection is not established.

Same problem with "rsa-sha2-256".
Comment 1 Damien Miller 2018-05-25 13:40:46 AEST 
There's a fix for this in the patch at https://bugzilla.mindrot.org/show_bug.cgi?id=2799
Comment 2 Damien Miller 2018-07-04 23:57:48 AEST 
This was fixed by the following commit and will be in OpenSSH 7.8:


commit 4ba0d54794814ec0de1ec87987d0c3b89379b436
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Tue Jul 3 11:39:54 2018 +0000

    upstream: Improve strictness and control over RSA-SHA2 signature
    
    In ssh, when an agent fails to return a RSA-SHA2 signature when
    requested and falls back to RSA-SHA1 instead, retry the signature to
    ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
    matches the one in the signature itself.
    
    In sshd, strictly enforce that the public key algorithm sent in the
    SSH_MSG_USERAUTH message matches what appears in the signature.
    
    Make the sshd_config PubkeyAcceptedKeyTypes and
    HostbasedAcceptedKeyTypes options control accepted signature algorithms
    (previously they selected supported key types). This allows these
    options to ban RSA-SHA1 in favour of RSA-SHA2.
    
    Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
    "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
    with certificate keys.
    
    feedback and ok markus@
    
    OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
Comment 3 Damien Miller 2018-10-19 17:17:25 AEDT 
Close RESOLVED bugs with the release of openssh-8.0