Bug 2650 - UpdateHostKeys ignores RSA keys if HostKeyAlgorithms=rsa-sha2-256
Summary: UpdateHostKeys ignores RSA keys if HostKeyAlgorithms=rsa-sha2-256
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.4p1
Hardware: All All
: P5 trivial
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_7_5
  Show dependency treegraph
 
Reported: 2016-12-24 08:58 AEDT by Mira Ressel
Modified: 2018-04-06 12:26 AEST (History)
2 users (show)

See Also:

Attachments
Accept RSA keys if HostkeyAlgorithms contains rsa-sha2 key types (1.67 KB, patch)
2017-03-10 15:32 AEDT, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mira Ressel 2016-12-24 08:58:39 AEDT 
The UpdateHostKeys feature is designed to only add host key fingerprints to known_hosts if the corresponding signature algorithm is allowed by the HostKeyAlgorithms setting (see client_input_hostkeys() in clientloop.c).

However, for RSA keys it only checks HostKeyAlgorithms for the presence of ssh-rsa. If HostKeyAlgorithms includes rsa-sha2-{256,512}, but not ssh-rsa, RSA keys are ignored even though they could be used for authentication.
Comment 1 Damien Miller 2017-03-10 15:32:03 AEDT 
Created attachment 2961 [details]
Accept RSA keys if HostkeyAlgorithms contains rsa-sha2 key types

This patch accepts RSA keys if the HostkeyAlgorithms contains rsa-sha2-* keytypes.
Comment 2 Damien Miller 2017-03-10 16:01:29 AEDT 
Patch applied. This will be in OpenSSH 7.5
Comment 3 Damien Miller 2018-04-06 12:26:49 AEST 
Close all resolved bugs after release of OpenSSH 7.7.