2506 – CA-signed keys broken

Bug 2506 - CA-signed keys broken

Summary: CA-signed keys broken

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	7.1p1
Hardware:	All Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-26 05:40 AEDT by John Runyon
Modified:	2016-08-02 10:41 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
ssh -vvv output (5.50 KB, text/plain) 2015-11-26 05:40 AEDT, John Runyon	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Runyon 2015-11-26 05:40:51 AEDT

Created attachment 2757 [details]
ssh -vvv output

After upgrading from 6.9 to 7.1, CA-signed keys are broken. ssh fails to verify a CA-signed host key and fails to load/use a CA-signed user key. Attached output of ssh -vvv. Note particularly lines 9-10, 68-71.

Comment 1 Damien Miller 2015-11-28 11:24:04 AEDT

The server in question is offering the legacy certificate format that was removed in OpenSSH 7.0

> debug2: kex_parse_kexinit: ssh-rsa,ssh-rsa-cert-v00@openssh.com,ssh-dss

The legacy keys haven't been the default since OpenSSH 5.6.

The remote version (OpenSSH 6.0) supports the current cert format fine, so regenerating your certificates should get you working.

Comment 2 Damien Miller 2016-08-02 10:41:58 AEST

Close all resolved bugs after 7.3p1 release