Bug 1940201

Summary: OpenSSH does not honor crypto policy disabling SHA1 when logging into old servers
Product: [Fedora] Fedora Reporter: Jakub Jelen <jjelen>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 35CC: crypto-team, dbelyavs, dwalsh, jjelen, lkundrak, mattias.ellert, plautrba, tm
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-12 14:11:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Jelen 2021-03-17 19:34:35 UTC 
Description of problem:
This was originally reported as different bug in libssh where libssh was not able to connect to some old openssh servers (6.7 without support for SHA2 RSA signatures).

https://bugs.libssh.org/T277

The root cause (crytpo policies disabling SHA1) was promptly identified, but what was surprising was the openssh behavior, which automatically backed down to SHA1 RSA signatures even though the configuration explicitly not allows it.

I think this is caused by the compat flags that are on for old openssh servers, which make sure we do not send them unknown signatures, but this is not fine from the policy point of view, where we claim SHA1 disabled, but it is not the case. 

Version-Release number of selected component (if applicable):
current

How reproducible:
deterministic

Steps to Reproduce:
0. Make sure the crypto policies is set to DEFAULT or higher (disabling SHA1)
1. Create rsa key
2. Copy the public key to old servers's (ex. 6.7) authorized_keys file
3. Try to connect using the key to the server

Actual results:
succeeds, ssh-rsa (SHA1 signature is used)

Expected results:
fail

Additional info:
The authentication using sha1 should not be attempted when the signature algorithm is not in the PubkeyAcceptedKeyTypes/PubkeyAcceptedAlgorithms. This is correctly enforced when the server is new and knows SHA2, but not in case of old servers with compat bits.
Comment 2 Ben Cotton 2021-08-10 12:54:53 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.
Comment 3 Dmitry Belyavskiy 2022-04-12 14:11:19 UTC 
The changes fixing this issue on the OpenSSL level should land in F37 or F38. Closing.