In the "server-sig-algs" extension the server sends to the client, sshd only includes the rsa signature algorithms [1]: (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 || However, it should include all signature algorithms (including ecdsa-sha2-*, ssh-ed25519, etc) it supports. This is what the RFC [2] says: string "server-sig-algs" This extension is sent by the server only, and contains a list of signature algorithms that the server is able to process as part of a "publickey" request. You may have incorrectly assumed that there is only 1 signature algorithm for the omitted public key algorithms. For example for ECDSA private keys there are at least two known signature algorithms: ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp256 (from rfc6187) References: [1] https://github.com/openssh/openssh-portable/blob/master/kex.c#L344 [2] https://tools.ietf.org/html/draft-ssh-ext-info-05#section-3.1
Correction: The following example is incorrect: "You may have incorrectly assumed that there is only 1 signature algorithm for the omitted public key algorithms. For example for ECDSA private keys there are at least two known signature algorithms: ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp256 (from rfc6187)" Both public key formats use the same signature algorithm.
Thanks - I've committed a fix for this.
I believe the commit to fix this have created a regression: OpenSSH 7.3p1: debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> OpenSSH 7.4p1: debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> This former two algs, which worked, are now no longer list as supported and the client ends up using ssh-rsa. I've tried to hardcode at least rsa-sha2-256 back again and it works on the client.
Filled as new bug under #2680.
Close all resolved bugs after release of OpenSSH 7.7.