-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flag RSA SHA1 deprecation when loading keys #12415
Conversation
Set flag on RSA keys of deprecated RSA SHA1 support when loading keys based on server version of the transport. This ensures keys are properly flagged. Flag name has been updated to provide context on usage. Version matching on the OpenSSH server version has also been updated to handle customized naming in the version string (as seen in the Windows port) and to properly handle when no match is found. Fixes hashicorp#12344 hashicorp#12408 hashicorp#12381
@chrisroberts sorry but I think this is the rong way, This maybe will help |
Since RSA keys are not dependent on the choice of hash function, the
All aspects of the "ssh-rsa" format are kept, including the encoded Signing and verifying using these algorithms is performed according to For the algorithm "rsa-sha2-256", the hash used is SHA-256. The resulting signature is encoded as follows:
The value for 'rsa_signature_blob' is encoded as a string containing |
@berlin4apk Aside from issues with other ssh server implementations (have any others fully deprecated the ssh-rsa signature?) I'm not clear on why you think this is the wrong direction. The copied sections you pasted don't really provide much context on your objection. Could you state more clearly what you think is incorrect? Thanks. |
The way via the Server Version string will break to easyly See also https://github.com/net-ssh/net-ssh/pull/811/commits |
Currently I'm unaware of any other server implementations affected outside of OpenSSH (and its derivatives). These modifications are not meant to be a long term fix, rather they are simply patches for things to work until support is available upstream (this is why the patches are only applied if a specific version of the ssh library is loaded, which is the currently released version right now). Detecting based on the session is ideal, however, from the point of view of monkey patching the library after it has been loaded, is much more difficult. The patch in its current state will allow things to continue working where it is currently know to fail (openssh versions 8.3 and greater) and will no longer be applicable once the library can be upgraded. |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Set flag on RSA keys of deprecated RSA SHA1 support when loading
keys based on server version of the transport. This ensures keys
are properly flagged. Flag name has been updated to provide context
on usage.
Version matching on the OpenSSH server version has also been updated
to handle customized naming in the version string (as seen in the
Windows port) and to properly handle when no match is found.
Fixes #12344
Fixes #12408
Fixes #12381