https://bugzilla.mindrot.org/show_bug.cgi?id=2799
Damien Miller <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3090|0 |1 is obsolete| | Attachment #3104|0 |1 is obsolete| | --- Comment #8 from Damien Miller <[email protected]> --- Created attachment 3135 --> https://bugzilla.mindrot.org/attachment.cgi?id=3135&action=edit Stricter RSA key type checking This diff does a few things that aren't easily separable into individual diffs. 1. Makes ssh retry to the sign_and_send_pubkey() operation when ssh-agent returns a signature with an incorrect type. This ensures that the pktype in the USERAUTH_REQUEST matches that of the signature. 2. Makes PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes match the pktype in USERAUTH_REQUEST rather than the type of the embedded key. This allows these options to be effectively used to ban ssh-rsa but leave rsa-sha2-* enabled. 3. Add new RSA certificate types that that can be used in the above options and on the wire to require the use of RSA/SHA2 signatures. 4. More strictly check the pkalg field from USERAUTH_REQUEST packets against the type in the signature. 5. Because current OpenSSH is lax wrt RSA signature type correctness in the presence of agents that don't support the new signature types, add a compat flag to relax some of the new strictness. Unfortunately, this isn't likely to make the 7.7 release :( -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
