https://bugzilla.mindrot.org/show_bug.cgi?id=3351
Bug ID: 3351
Summary: RSA SHA256 certificates no longer work
Product: Portable OpenSSH
Version: 8.8p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: [email protected]
Reporter: [email protected]
RSA SHA256 certificate authentication stopped working in 8.8.
It looks like RSA SHA256 certificates are identified as
[email protected] instead of as
[email protected] and current allow list does not have
[email protected] on it, resulting in rejection of such
certificates by the client. The root cause seems to be in
misidentification of SHA256 certificates as [email protected]
certificates.
Workaround is to add "PubkeyAcceptedKeyTypes
[email protected]" into client ssh config, but this doesn't
seem right, since certificate is actually SHA256 certificate and should
be allowed by default.
Reproduction steps:
create CA key:
ssh-keygen -t rsa-sha2-256 -f ca_key
create user key:
ssh-keygen -t rsa-sha2-256 -f user_key
sign certificate using SHA256 signature:
ssh-keygen -s ca_key -I "test" -z "123" -V -1w:+54w5d -t rsa-sha2-256
-n user user_key.pub
copy ca_key.pub to server /etc/ssh/ca_key.pub
Add following line to /etc/sshd_config:
TrustedUserCAKeys /etc/ssh/ca_key.pub
restart sshd: sudo service sshd restart
add test user: sudo useradd user
Back on Client run:
ssh -i user_key user@<server-host>
This fails with: user@<server-host>: Permission denied
(publickey,gssapi-keyex,gssapi-with-mic).
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
