Bug 2959 - Disabling just rsa-sha2-512 breaks public key authentication
Summary: Disabling just rsa-sha2-512 breaks public key authentication
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: Miscellaneous (show other bugs)
Version: 7.9p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-23 21:43 AEDT by Pierre Ossman
Modified: 2019-02-18 13:40 AEDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre Ossman 2019-01-23 21:43:43 AEDT 
Put this in sshd_config:

> PubkeyAcceptedKeyTypes -rsa-sha2-512

And any client supporting it will fail to authenticate rather than using rsa-sha2-256 or ssh-rsa.

You also get this somewhat misleading log entry:

> Jan 23 11:38:10 ossman.lkpg.cendio.se sshd[26633]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]

The problem is that the client looks at the supported algorithms reported during the key exchange. That list is not filtered in any way. So the server reports it supports rsa-sha2-512. The client trusts the server and uses rsa-sha2-512. The server then promptly rejects it and the client doesn't try any other algo.


My use case was just testing, but there might be more realistic scenarios where it can cause problems.
Comment 1 Damien Miller 2019-02-18 13:40:19 AEDT 
AFAIK there's no way in the protocol to handle this. The server can signal what public key algorithms it supports to the client, but that list is shared between both publickey and hostbased authentication methods.

A potential workaround might be to take the union of the enabled signature algorithms for both and send that, but unfortunately we don't know which methods are enabled until too late because of the Match directive in sshd_config - they are evaluated after the supported-sig-algs message is sent...