https://bugzilla.mindrot.org/show_bug.cgi?id=2799
--- Comment #9 from Jakub Jelen <[email protected]> --- Thank you for having a look into that and working on this patch. All the features you mention would be very desirable. FYI, the gnome-keyring developer dropped its ssh-agent implementation and instead wrap standard ssh-agent [1] to enhance the interface with their functionality. I also tried to contact the PuTTY/Pageant developers about this issue, but without any success. Are there any other specific agents, that are causing problems with SHA2 signatures? Some comments to the patch: + /* + * PKCS#11 tokens may not support all signature algorithms, + * so check what we get back. + */ I don't think this should be a big problem. The PKCS#11 module gets just a hash that it is supposed to sign with RSA PKCS#1.5 mechanism. The hashing is done already by the ssh and you have complete control of this. The only thing that happens sometimes is that the tokens use some logic to make sure the passed value is a hash and not arbitrary data (assuming based on the length?). I saw this behavior with YubiHSM. I believe this is the only case when it might fail (if token does not know SHA2 sizes?) and where the usage of other hash might help. Otherwise the patch looks reasonable from my read-through. [1] https://bugzilla.gnome.org/show_bug.cgi?id=775981 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
