[ssh_x509] Support for x509v3-rsa2048-sha256?

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu May 9 18:57:03 EEST 2019


On May 9, 2019, at 8:48 AM, ssh_x509 at roumenpetrov.info wrote:
> 
> ssh_x509 at roumenpetrov.info wrote:
>>  Roumen thanks for your reply. Now that you have released 12.0 with the algorithm centric code, does that mean that I could specify an x509v3-ssh-rsa with SHA256 instead of SHA1?
> Theoretically yes.
> Currently combinations are restricted to those https://securebox.termoneplus.com/man5/sshd_config.5.html#X509_Key_Algorithms_Format .
> For RSA list could be enhanced (first in code).
> 
>> As for how other implementations, I do see there isn't much out there that supports it. I see an old question on your mailer that refers to Maverick supporting it. The only other implementation I have found is SmartFTP which I've never used before. Indeed, not a widely implemented algorithm.
> ssh.com (tectia) still support only "legacy" format (authors of protocol).
> vandake support legacy and "new" (rsa,dsa,no ec).
> cisco implement "new" but if I remember well only for rsa (x509v3-ssh-rsa).
> reflection?
> f-secure may left the business (perhaps implementation was licensed from ssh.com).


AsyncSSH currently supports RFC 6187’s version of X.509 in SSH. More specifically, it supports the following algorithms:

x509v3-ecdsa-sha2-nistp521
x509v3-ecdsa-sha2-nistp384
x509v3-ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-1.3.132.0.10
x509v3-rsa2048-sha256
x509v3-ssh-rsa
x509v3-ssh-dss

I’ve done some interoperability testing with PKIXSSH 10.2 and 11.1 on the algorithms that they have in common, and things looked good when I last ran these tests.

For more info on AsyncSSH, check out https://asyncssh.readthedocs.io/en/latest/ <https://asyncssh.readthedocs.io/en/latest/>. You can find a complete list of its supported algorithms at https://asyncssh.readthedocs.io/en/latest/api.html#supported-algorithms <https://asyncssh.readthedocs.io/en/latest/api.html#supported-algorithms>.
-- 
Ron Frederick
ronf at timeheart.net





More information about the ssh_x509 mailing list