https://bugzilla.mindrot.org/show_bug.cgi?id=2746
Jakub Jelen <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #3 from Jakub Jelen <[email protected]> --- I do not think this has been completely resolved with OpenSSH 7.8 nor 7.9. Currently, specifying PubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-512 in sshd_config fails the RSA authentication (actually already the key check without signature) without any helpful error message: debug1: userauth-request for user root service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug2: input_userauth_request: try method publickey [preauth] debug1: userauth_pubkey: test pkalg rsa-sha2-256 pkblob RSA SHA256:33ZvPdZiDGSXPKTytIAkeLQqsfe9pWbcKjo+73WIQMY [preauth] debug3: mm_key_allowed entering [preauth] debug3: mm_request_send entering: type 22 [preauth] debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] debug3: mm_request_receive_expect entering: type 23 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x560e771b2c00 debug3: mm_answer_keyallowed: publickey authentication test: RSA key is not allowed Failed publickey for root from ::1 port 52866 ssh2: RSA SHA256:33ZvPdZiDGSXPKTytIAkeLQqsfe9pWbcKjo+73WIQMY debug3: mm_request_send entering: type 23 debug2: userauth_pubkey: authenticated 0 pkalg rsa-sha2-256 [preauth] This is because the mm_answer_keyallowed() still checks against the raw list provided in the options.pubkey_key_types: if (match_pattern_list(sshkey_ssh_name(key), options.pubkey_key_types, 0) != 1) rather than using something similar that is correctly used in the client (sshconnnec2.c) in 4ba0d5479 (key_type_allowed_by_config), taking the SHA2 extension into the account. I am sorry that I did not manage to test that earlier. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
