Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to sign SSH certificate with SHA2 #107

Open
Aniderhofer opened this issue Jul 22, 2020 · 4 comments
Open

Ability to sign SSH certificate with SHA2 #107

Aniderhofer opened this issue Jul 22, 2020 · 4 comments

Comments

@Aniderhofer
Copy link

Hello

I would like to add into Bless the support to sign the SSH certificates with a SHA2 algorithm , more specifically RSA-SHA2 512.
SSH certificate signed with SHA2 algorithm is supported and recommended by default since OpenSSH 8.2 release https://www.openssh.com/txt/release-8.2

I have created a POC using the Bless SSH sign code, successfully signing with RSA SHA2 512.
would love to contribute my work to Bless.

Thanks
Albert

@lpcalisi
Copy link

Hi Albert, i am developing a refactor of Bless with more features like audit, external authorization module, more handle of exceptions and i would like support SHA2 512, you can share it?

@albertniderhofer
Copy link

@le0pard
Copy link

le0pard commented Mar 15, 2021

https://github.com/certonid/certonid (min version 0.7.0) support rsa-sha2-256 algorithm, which works with latest openssh.

@skiptomyliu
Copy link

skiptomyliu commented Jun 22, 2021

Thanks @albertniderhofer your commit was immensely helpful. We've made some small changes to your commit: lyft#49

Primarily decoupling the public key type from the signing type. Otherwise, your original commit will change the public key from ssh-rsa to rsa-sha2-512. The public key shouldn't be changing, only the signature. Surprisingly you'll be able to use the generated cert (tested using ssh -i [cert] [server]), but certain clients wont be able to parse the public key (eg golang ssh's ParseAuthorizedKey) .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants