Bug 2959

Summary: Disabling just rsa-sha2-512 breaks public key authentication
Product: Portable OpenSSH Reporter: Pierre Ossman <ossman>
Component: MiscellaneousAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: enhancement CC: djm
Priority: P5    
Version: 7.9p1   
Hardware: Other   
OS: Linux   

Description Pierre Ossman 2019-01-23 21:43:43 AEDT 
Put this in sshd_config:

> PubkeyAcceptedKeyTypes -rsa-sha2-512

And any client supporting it will fail to authenticate rather than using rsa-sha2-256 or ssh-rsa.

You also get this somewhat misleading log entry:

> Jan 23 11:38:10 ossman.lkpg.cendio.se sshd[26633]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]

The problem is that the client looks at the supported algorithms reported during the key exchange. That list is not filtered in any way. So the server reports it supports rsa-sha2-512. The client trusts the server and uses rsa-sha2-512. The server then promptly rejects it and the client doesn't try any other algo.


My use case was just testing, but there might be more realistic scenarios where it can cause problems.
Comment 1 Damien Miller 2019-02-18 13:40:19 AEDT 
AFAIK there's no way in the protocol to handle this. The server can signal what public key algorithms it supports to the client, but that list is shared between both publickey and hostbased authentication methods.

A potential workaround might be to take the union of the enabled signature algorithms for both and send that, but unfortunately we don't know which methods are enabled until too late because of the Match directive in sshd_config - they are evaluated after the supported-sig-algs message is sent...