https://bugzilla.mindrot.org/show_bug.cgi?id=2680
Jakub Jelen <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED --- Comment #9 from Jakub Jelen <[email protected]> --- (In reply to Damien Miller from comment #7) > (In reply to Jakub Jelen from comment #6) > > Although the patch looks reasonable and I considered it as a > > resolved issue, it is not as the current master (openssh 7.5) still > > reports: > > > > debug1: kex_input_ext_info: > > server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh- > > dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null> > > That's AFAIK what it's supposed to be, excepting the "null" at the > end of the list - where does that come from? That is gssapi key exchange. Sorry for confusion. > > The correct list: > > > > debug1: kex_input_ext_info: > > server-sig-algs=<rsa-sha2-256,rsa-sha2-512> > > Doesn't list non-RSA signature algorithms. Per > https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info-10 : > > > This extension is sent by the server, and contains a list of public > > key algorithms that the server is able to process as part of a > > "publickey" authentication request. > > That doesn't limit the contents to just new signature algorithms. Ok. So it was a change from the initial implementation. Thanks for a clarification. But I am wondering what is the point of of listing all the algorithms that are already defined by the standard in extension. They are ignored by OpenSSH at least. > We don't currently provide a knob to disable SHA1 signtures, but > feel free to file another bug to request it and I'll try to get it > done before 7.6. I will do if it is the time already (it was not some time ago). > Though there at least one error in the contents of server-sig-algs: we > shouldn't offer ssh-dss when we're unwilling to offer a ssh-dss hostkey (true > by default). That is one of the thing I things why it is bogus to list all supported pkalgs, when they are already negotiated. Closing again, since it looks like it is correct according to the draft. I will fill separate bugs for the other issues. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
