Closed reynir closed 1 year ago
Relevant reading https://www.rfc-editor.org/rfc/rfc8332#section-2
and in section 3.2:
If the client includes the signature field, the client MUST encode
the same algorithm name in the signature as in
SSH_MSG_USERAUTH_REQUEST -- either "rsa-sha2-256" or "rsa-sha2-512".
If a server receives a mismatching request, it MAY apply arbitrary
authentication penalties, including but not limited to authentication
failure or disconnect.
So it seems a client MUST put matching signature algorithms (known as public key algorithms in the RFCs with all its ambiguity). A server MAY reject it. In openssh they seem, for rsa keys, to generally enforce this with the exception of ssh-rsa-cert-v01
https://github.com/openssh/openssh-portable/blob/2709809fd616a0991dc18e3a58dea10fb383c3f0/ssh-rsa.c#L504-L507
I don't think it would require much change to support clients that don't probe keys first. I can take a look at implementing that later this week. Otherwise I think this PR is ready.
thanks a lot
This PR delays parsing of public keys offered by clients. This allows clients to offer keys we don't know how to use to the server, and the server can reject them gracefully.
Things to do