mirror of
https://github.com/libssh2/libssh2.git
synced 2025-07-29 13:01:14 +03:00
3a6ab70dcf
Replicating OpenSSH's behavior to handle RSA certificate authentication
differently based on the remote server version.
1. For OpenSSH versions >= 7.8, ascertain server's support for RSA Cert
types by checking if the certificate's signature type is present in
the `server-sig-algs`.
2. For OpenSSH versions < 7.8, Set the "SSH_BUG_SIGTYPE" flag when the
RSA key in question is a certificate to ignore `server-sig-algs` and
only offer ssh-rsa signature algorithm for RSA certs.
This arises from the fact that OpenSSH versions up to 7.7 accept
RSA-SHA2 keys but not RSA-SHA2 certificate types. Although OpenSSH <=7.7
includes RSA-SHA2 keys in the `server-sig-algs`, versions <=7.7 do not
actually support RSA certs. Therefore, server sending RSA-SHA2 keys in
`server-sig-algs` should not be interpreted as indicating support for
RSA-SHA2 certs. So, `server-sig-algs` are ignored when the RSA key in
question is a cert, and the remote server version is 7.7 or below.
Relevant sections of the OpenSSH source code:
<https://github.com/openssh/openssh-portable/blob/V_8_9_P1/sshconnect2.c#L1191-L1197>
<https://github.com/openssh/openssh-portable/blob/master/compat.c#L43>
Assisted-by: Will Cosgrove
Reviewed-by: Viktor Szakats
23 lines
560 B
C
23 lines
560 B
C
/* Copyright (C) The libssh2 project and its contributors.
|
|
*
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
*/
|
|
|
|
#include "runner.h"
|
|
|
|
int test(LIBSSH2_SESSION *session)
|
|
{
|
|
#if LIBSSH2_RSA_SHA2 && \
|
|
(defined(LIBSSH2_OPENSSL) || defined(LIBSSH2_WOLFSSL))
|
|
/* set in Dockerfile */
|
|
return test_auth_pubkey(session, 0,
|
|
"libssh2",
|
|
NULL,
|
|
"key_rsa_sha2_256_signed-cert.pub",
|
|
"key_rsa_sha2_256_signed");
|
|
#else
|
|
(void)session;
|
|
return 0;
|
|
#endif
|
|
}
|