Bug 2093897

Summary: SHA1 is used as a proof of possession for the RSA key
Product: Red Hat Enterprise Linux 8 Reporter: Dmitry Belyavskiy <dbelyavs>
Component: opensshAssignee: Zoltan Fridrich <zfridric>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.6CC: bstinson, jafiala, jjelen, mhavrila, omoris, zfridric
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-8.0p1-14.el8 Doc Type: No Doc Update
Doc Text:
If this bug requires documentation, please select an appropriate Doc Type value.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:53:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitry Belyavskiy 2022-06-06 10:15:37 UTC 
If we need to get a proof of ownership for a RSA key on establishing a connection, the SHA1 algorithm is used by default (see the ssh_rsa_sign function). Not sure that it is the best possible option now. 

As it is possible to explicitly request the hash, it's worth analyze the client's capabilities and use SHA2 for this purpose.

The upstream patch should be applied to RHEL 8 series.
Comment 1 Marek Havrila 2022-06-07 09:05:33 UTC 
*** Bug 2060232 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2022-11-08 10:53:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssh bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7763