This causes failures if the client is on OpenSSH 7.8p1+ (Fedora 28+) and for some reason disabled the rsa-sha2-* public key algorithms with PubkeyAcceptedKeyTypes configuration option.
This does not affect any other key types at this moment.
Version-Release number of selected component (if applicable):
openssh-7.4p1-16
How reproducible:
specific configuration
Steps to Reproduce:
1. Install OpenSSH 7.8p1 (Fedora 28+)
2. Configure pubkey authentication using RSA key with remote server example.com
3. ssh -vvv -o PubkeyAcceptedKeyTypes=ssh-rsa example.com
Actual results:
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:I1XXiJ/wkXC6Vn8ohZVHcJTCCKoPKm4mL8qtjtyNMhw /home/lslebodn/.ssh/id_rsa
debug1: send_pubkey_test: no mutual signature algorithm
Expected results:
The authentication should proceed using ssh-rsa algorithm.
Additional info:
This is a change in OpenSSH 7.8 that it is getting more strict about handling this extension. Unfortunately we carry broken version in RHEL7, which is not sending complete list of algorithms.
Workaround:
In client, list also the SHA2 extension algorithms:
PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512
If you need to adjust this list, rather use the + sign.
Description of problem:
The OpenSSH server in RHEL7.6 does not send complete list of signature algorithms in SHA2 extension.
debug1: kex_input_ext_info: server- sig-algs= <rsa-sha2- 256,rsa- sha2-512>
This causes failures if the client is on OpenSSH 7.8p1+ (Fedora 28+) and for some reason disabled the rsa-sha2-* public key algorithms with PubkeyAcceptedK eyTypes configuration option.
The correct list should look like this:
debug1: kex_input_ext_info: server- sig-algs= <ssh-ed25519, ssh-rsa, rsa-sha2- 256,rsa- sha2-512, ssh-dss, ecdsa-sha2- nistp256, ecdsa-sha2- nistp384, ecdsa-sha2- nistp521, null>
This does not affect any other key types at this moment.
Version-Release number of selected component (if applicable):
openssh-7.4p1-16
How reproducible:
specific configuration
Steps to Reproduce: eyTypes= ssh-rsa example.com
1. Install OpenSSH 7.8p1 (Fedora 28+)
2. Configure pubkey authentication using RSA key with remote server example.com
3. ssh -vvv -o PubkeyAcceptedK
Actual results:
debug1: Next authentication method: publickey I1XXiJ/ wkXC6Vn8ohZVHcJ TCCKoPKm4mL8qtj tyNMhw /home/lslebodn/ .ssh/id_ rsa
debug1: Offering public key: RSA SHA256:
debug1: send_pubkey_test: no mutual signature algorithm
Expected results:
The authentication should proceed using ssh-rsa algorithm.
Additional info:
This is a change in OpenSSH 7.8 that it is getting more strict about handling this extension. Unfortunately we carry broken version in RHEL7, which is not sending complete list of algorithms.
Workaround:
In client, list also the SHA2 extension algorithms:
PubkeyAcceptedK eyTypes rsa-sha2- 256,rsa- sha2-512
If you need to adjust this list, rather use the + sign.
Thanks lslebodn for reporting this issue to me.