Bug 1623929

Summary: OpenSSH server reports incomplete server-sig-algs list in SHA2 extension
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Jelen <jjelen>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.6CC: champetier.etienne, christoph.sievers, nmavrogi, redhat-bugzilla, roman.aleksic, whaidinger
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-11 15:39:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Jelen 2018-08-30 13:22:47 UTC 
Description of problem:
The OpenSSH server in RHEL7.6 does not send complete list of signature algorithms in SHA2 extension.

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

This causes failures if the client is on OpenSSH 7.8p1+ (Fedora 28+) and for some reason disabled the rsa-sha2-* public key algorithms with PubkeyAcceptedKeyTypes configuration option.

The correct list should look like this:

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null>

This does not affect any other key types at this moment.

Version-Release number of selected component (if applicable):
openssh-7.4p1-16

How reproducible:
specific configuration

Steps to Reproduce:
1. Install OpenSSH 7.8p1 (Fedora 28+)
2. Configure pubkey authentication using RSA key with remote server example.com
3. ssh -vvv -o PubkeyAcceptedKeyTypes=ssh-rsa example.com

Actual results:

debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:I1XXiJ/wkXC6Vn8ohZVHcJTCCKoPKm4mL8qtjtyNMhw /home/lslebodn/.ssh/id_rsa
debug1: send_pubkey_test: no mutual signature algorithm

Expected results:

The authentication should proceed using ssh-rsa algorithm.

Additional info:
This is a change in OpenSSH 7.8 that it is getting more strict about handling this extension. Unfortunately we carry broken version in RHEL7, which is not sending complete list of algorithms.

Workaround:
In client, list also the SHA2 extension algorithms:

PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512

If you need to adjust this list, rather use the + sign.


Thanks lslebodn for reporting this issue to me.
Comment 2 Christoph Sievers 2018-09-04 16:46:16 UTC 
Hi,

client fedora 28 with openssh-7.8p1-2.fc28.x86_64

using a ssh-rsa-cert-v01 client certificate

> debug1: Offering public key: RSA-CERT > SHA256:xxx /home/c/.ssh/id_rsa-cert.pub
> debug1: send_pubkey_test: no mutual signature algorithm

The proposed workaround does not seem to work (Even if adding the cert type)

> PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-rsa-cert-v01
Comment 3 Jakub Jelen 2018-09-04 17:33:06 UTC 
If you want to use certificates, you need to list also the SHA2 variants of certificates:

rsa-sha2-256-cert-v01,rsa-sha2-512-cert-v01

Not sure if this is somewhere documented, but is should do the job.
Comment 4 Christoph Sievers 2018-09-05 11:07:44 UTC 
Hi,

i tried

PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01,rsa-sha2-512-cert-v01,ssh-rsa-cert-v01

but still

debug1: send_pubkey_test: no mutual signature algorithm
Comment 5 Jakub Jelen 2018-09-05 11:36:43 UTC 
Please, open a customer case if you have this issue with your RHEL installation. 

https://access.redhat.com/

This will really need a fix in RHEL7 since the new OpenSSH checks the signature algorithms against the hardcoded list there, which is wrong.
Comment 6 Etienne CHAMPETIER 2018-09-06 17:21:31 UTC 
Hi all,

Even if the CA is an RSA key, you can sign ECDSA or ED25519 keys so you get ECDSA/ED25519 certs which allow you to work around the issue without changing anything server-side

Exemple cert:
$ ssh-keygen -Lf ~/.ssh/id_ed25519-cert.pub
~/.ssh/id_ed25519-cert.pub:
        Type: ssh-ed25519-cert-v01 user certificate
        Public key: ED25519-CERT SHA256:<...>
        Signing CA: RSA SHA256:<...>
        Key ID: "..."
Comment 7 Christoph Sievers 2018-10-31 12:17:01 UTC 
I think something happend within openssh 7.9 if my interpretation of this is correct: https://www.spinics.net/lists/openssh-unix-dev/msg05371.html
Comment 8 Jakub Jelen 2018-10-31 12:55:48 UTC 
Indeed, there is fix [1] in latest OpenSSH 7.9p1 so updating the clients to the latest version should resolve the issue. But it does not change that there is a bug in RHEL7 too.

[1] https://github.com/openssh/openssh-portable/commit/1a4a9cf8
Comment 9 Simo Sorce 2019-02-11 15:39:06 UTC 
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.