diff --git a/src/auth.c b/src/auth.c
index 36ad2ed5..0c0412a4 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -521,6 +521,17 @@ int ssh_userauth_try_publickey(ssh_session session,
             return SSH_AUTH_ERROR;
     }
 
+    /* Note, that this is intentionally before checking the signature type
+     * compatibility to make sure the possible EXT_INFO packet is processed,
+     * extensions recorded and the right signature type is used below
+     */
+    rc = ssh_userauth_request_service(session);
+    if (rc == SSH_AGAIN) {
+        return SSH_AUTH_AGAIN;
+    } else if (rc == SSH_ERROR) {
+        return SSH_AUTH_ERROR;
+    }
+
     /* Check if the given public key algorithm is allowed */
     sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type);
     if (sig_type_c == NULL) {
@@ -544,13 +555,6 @@ int ssh_userauth_try_publickey(ssh_session session,
         return SSH_AUTH_DENIED;
     }
 
-    rc = ssh_userauth_request_service(session);
-    if (rc == SSH_AGAIN) {
-        return SSH_AUTH_AGAIN;
-    } else if (rc == SSH_ERROR) {
-        return SSH_AUTH_ERROR;
-    }
-
     /* public key */
     rc = ssh_pki_export_pubkey_blob(pubkey, &pubkey_s);
     if (rc < 0) {
@@ -652,6 +656,17 @@ int ssh_userauth_publickey(ssh_session session,
             return SSH_AUTH_ERROR;
     }
 
+    /* Note, that this is intentionally before checking the signature type
+     * compatibility to make sure the possible EXT_INFO packet is processed,
+     * extensions recorded and the right signature type is used below
+     */
+    rc = ssh_userauth_request_service(session);
+    if (rc == SSH_AGAIN) {
+        return SSH_AUTH_AGAIN;
+    } else if (rc == SSH_ERROR) {
+        return SSH_AUTH_ERROR;
+    }
+
     /* Cert auth requires presenting the cert type name (*-cert@openssh.com) */
     key_type = privkey->cert != NULL ? privkey->cert_type : privkey->type;
 
@@ -678,13 +693,6 @@ int ssh_userauth_publickey(ssh_session session,
         return SSH_AUTH_DENIED;
     }
 
-    rc = ssh_userauth_request_service(session);
-    if (rc == SSH_AGAIN) {
-        return SSH_AUTH_AGAIN;
-    } else if (rc == SSH_ERROR) {
-        return SSH_AUTH_ERROR;
-    }
-
     /* get public key or cert */
     rc = ssh_pki_export_pubkey_blob(privkey, &str);
     if (rc < 0) {
@@ -769,6 +777,10 @@ static int ssh_userauth_agent_publickey(ssh_session session,
         return SSH_ERROR;
     }
 
+    /* Note, that this is intentionally before checking the signature type
+     * compatibility to make sure the possible EXT_INFO packet is processed,
+     * extensions recorded and the right signature type is used below
+     */
     rc = ssh_userauth_request_service(session);
     if (rc == SSH_AGAIN) {
         return SSH_AUTH_AGAIN;