[ssh_x509] x509v3-ssh-rsa not working when server disable x509v3-rsa2048-sha256

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue Oct 19 00:29:31 EEST 2021

Hi Murugesh,

ssh_x509 at roumenpetrov.info wrote:
> Hi,
Sorry for late reply.
Now I'm working on scp over sftp related issues and do not have enough spare time for other tasks.

> I am adding support to RFC6187 algorithms in my SSH server. We already
> supported the x509v3-sign-rsa and x509v3-sign-dss. Just adding support
> for RFC 6187 algorithms.
> I use pkixssh-13.1 as SSH client. I use the same user certificate
> which we used earlier for the x5093-sign-rsa case. I see it works
> good, by first choosing x509v3-rsa2048-sha256. But when i disable the
> 'x509v3-rsa2048-sha256' in server side, i was expecting, the
> 'x509v3-ssh-rsa' will be chosen and should work good. But i see it is
> failing in client side itself:
> Here is the SSH server side config on pubkeyaccepted: Have removed the
> 'x509v3-rsa2048-sha256'
> PubkeyAcceptedKeyTypes
> x509v3-ssh-rsa,x509v3-ssh-dss,x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,
Initially  by design only host key algorithms could be chosen. There was no option client and server to communicate algorithms to use in public key authentication process.
As result of this is algorithm described in draft-ietf-secsh-transport-12 is not accepted by server client fail to "plain" algorithm.
See https://securebox.termoneplus.com/man5/ssh_config.5.html#PubkeyAlgorithms.

Let call algorithms described in draft-ietf-secsh-transport-12 legacy.

There is an enhancement described in RFC 8308 (Extension Negotiation in the Secure Shell (SSH) Protocol).
The corresponding option is https://securebox.termoneplus.com/man5/sshd_config.5.html#AcceptedAlgorithms .
Extension is publickey-algorithms at roumenpetrov.info and for compatibility is supported server-sig-algs.

With above extensions now server could communicate to client accepted public key algorithms. Client will chose suitable algorithm.


In absence of extensions client could use PubkeyAlgorithms and HostbasedAlgorithms to limits algorithms.
Note that client cannot test all algorithms. For instance complete list is x509v3-rsa2048-sha256, x509v3-ssh-rsa, x509v3-sign-rsa (sha1 and md5), rsa-sha2-256, rsa-sha2-512 and ssh-rsa. It could reach MaxAuthTries, by default 6, and server will reject authentication.

Also there is no plan to drop ssh-rsa and ssh-dss algorithms nor those from "draft-ietf-secsh-transport-12" (legacy).
For instance Tectia does not support rsa and dss from RFC 6187. It supports "legacy" and from RFC 6187 only ecdsa.

It is up to server administrator to decide what to use. To exclude sha1 on server side AcceptedAlgorithms could be set to pattern like this: x509v3-*sha256,*-ecdsa-*,rsa-sha2-*,*-ed25519.

> Please share your valuable comments.
> Thanks & Regards,
> Murugesh

Roumen Petrov

More information about the ssh_x509 mailing list