Daniel Jakots:
> I thought I could restrict further my sshd_config regarding
> PubkeyAcceptedAlgorithms. I've one user where I can't use another key
> type than rsa. I added a `Match User whatever` and since I wasn't sure
> about which thingy I needed from `ssh -Q PubkeyAcceptedAlgorithms |
> grep rsa | grep -v cert`, I put an unrelated to algo with
> PubkeyAcceptedAlgorithms and checked the logs.
>
> It said "userauth_pubkey: key type ssh-rsa not in
> PubkeyAcceptedAlgorithms [preauth]"
>
> I replaced the PubkeyAcceptedAlgorithms setting, except it still didn't
> work. Eventually, I tried them one by one and found out rsa-sha2-512
> is the one I needed.
That's an accidental omission in the logging code; it should now
log the signature algorithm instead of the key type. This was
eventually corrected in the equivalent code for host-based
authentication (auth2-hostbased.c rev 1.49) but again forgotten for
user public keys.
OK?
include rejected signature algorithm in error message and not the
useless) key type
diff refs/heads/master refs/heads/local
blob - afde053dba54d792c4b9f6829432c50e63b120e7
blob + 8c80a762bc8be52635a7bdcec84b9b7ef18d0408
--- usr.bin/ssh/auth2-pubkey.c
+++ usr.bin/ssh/auth2-pubkey.c
@@ -163,8 +163,8 @@ userauth_pubkey(struct ssh *ssh, const char *method)
goto done;
}
if (match_pattern_list(pkalg, options.pubkey_accepted_algos, 0) != 1) {
- logit_f("key type %s not in PubkeyAcceptedAlgorithms",
- sshkey_ssh_name(key));
+ logit_f("signature algorithm %s not in "
+ "PubkeyAcceptedAlgorithms", pkalg);
goto done;
}
if ((r = sshkey_check_cert_sigtype(key,
--
Christian "naddy" Weisgerber [email protected]
