Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: OpenSSH 8.8 disabled RSA signatures using the SHA-1 hash algorithm #48758

Closed
fasmide opened this issue Oct 4, 2021 · 2 comments
Closed

x/crypto/ssh: OpenSSH 8.8 disabled RSA signatures using the SHA-1 hash algorithm #48758

fasmide opened this issue Oct 4, 2021 · 2 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@fasmide
Copy link

fasmide commented Oct 4, 2021

What version of Go are you using (go version)?

$ go version
go version go1.16.8 linux/amd64

Does this issue reproduce with the latest release?

Though I didn't test it, I think it would reproduce, as this is most likely an issue with the ssh package and not so much golang itself.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/fas/.cache/go-build"
GOENV="/home/fas/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/fas/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/fas/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/snap/go/8408"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/snap/go/8408/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16.8"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/fas/github.com/fasmide/sshdtests/server/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build725442376=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I tried out the ssh.NewServerConn example - and used the latest OpenSSH client (8.8p1)

Using golang.org/x/crypto v0.0.0-20210921155107-089bfa567519

What did you see instead?

# ssh -p2022 172.17.0.1
Unable to negotiate with 172.17.0.1 port 2022: no matching host key type found. Their offer: ssh-rsa

So what is this?

I think the ssh package doesn't implement RFC8332, which in turn also needs RFC8308 in order to work.

As far as I can tell, this makes it impossible for the ssh package to provide RSA based verification using stronger algorithms such as rsa-sha2-256 or rsa-sha2-512
@gopherbot gopherbot added this to the Unreleased milestone Oct 4, 2021
@mpx
Copy link
Contributor

mpx commented Oct 4, 2021

This is #39885

@fasmide
Copy link
Author

fasmide commented Oct 4, 2021
edited
Loading

@mpx Yes it is! thanks! - I was unable to apply the necessary search terms :)

@fasmide fasmide closed this as completed Oct 4, 2021
@golang golang locked and limited conversation to collaborators Oct 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@fasmide @mpx @gopherbot