[Bug 3577] New: CASignatureAlgorithms supports -cert alogrithms

[bugzilla-daemon]

https://bugzilla.mindrot.org/show_bug.cgi?id=3577

            Bug ID: 3577
           Summary: CASignatureAlgorithms supports -cert alogrithms
           Product: Portable OpenSSH
           Version: 9.3p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-b...@mindrot.org
          Reporter: xspielinbox+mind...@protonmail.com

Hello,

The CASignatureAlgorithms directive in ssh and sshd supports the
following algorithms:
ssh-ed25519
ssh-ed25519-cert-...@openssh.com
sk-ssh-ed25...@openssh.com
sk-ssh-ed25519-cert-...@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp...@openssh.com
webauthn-sk-ecdsa-sha2-nistp...@openssh.com
ssh-rsa-cert-...@openssh.com
rsa-sha2-256-cert-...@openssh.com
rsa-sha2-512-cert-...@openssh.com
ssh-dss-cert-...@openssh.com
ecdsa-sha2-nistp256-cert-...@openssh.com
ecdsa-sha2-nistp384-cert-...@openssh.com
ecdsa-sha2-nistp521-cert-...@openssh.com
sk-ecdsa-sha2-nistp256-cert-...@openssh.com

Why are the *-cert-...@openssh.com algorithms allowed here? This seems
wrong to me as per documentation intermediate certificates aren't
supported and I don't see how this would work then.
They also aren't enabled by default.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs