https://bugzilla.mindrot.org/show_bug.cgi?id=2994
Bug ID: 2994
Summary: SSH certificate signing does not work with SHA256
hashing algorithm
Product: Portable OpenSSH
Version: 7.9p1
Hardware: amd64
OS: Mac OS X
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: [email protected]
Reporter: [email protected]
Repro instructions:
ssh-keygen -f server_ca
ssh-keygen -f userkey
ssh-keygen -s server_ca -I ident -t rsa-sha2-256 -n user userkey.pub &&
ssh-keygen -L -f userkey-cert.pub
Signed user key userkey-cert.pub: id "ident" serial 0 for user valid
forever
userkey-cert.pub:
Type: [email protected] user certificate
Public key: RSA-CERT
SHA256:vGA3iSIWLZNdTjBoKzzAGH8daBV9Kvf9yZ3AhTyZ6IM
Signing CA: RSA
SHA256:TgQchZRAwiD8VRLdOmIDqoIyc6btwxIbPFMYI/JAUag
Key ID: "ident"
Serial: 0
Valid: forever
Principals:
user
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
As you can see certificate type is ssh-rsa-cert-v0, it should be
rsa-sha2-256-cert-v01 instead.
The problem seems to be with sshkey_ssh_name function, which takes
first matching key type (which is SHA1), if that is the right place
than this function should be changed to also take into account hash
algorithm.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
