Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate type is set to ssh-rsa-cert-v01@openssh.com which is deprecated in new openssh #133

Closed
tierpod opened this issue Aug 8, 2022 · 5 comments · Fixed by #140
Closed

Comments

@tierpod
Copy link
Contributor

tierpod commented Aug 8, 2022

Hello. It's not a problem with signmykey, but with x/crypto/ssh library. When local signer is used, ssh certificate type is set to ssh-rsa-cert-v01@openssh.com which is deprecated in new openssh versions.

I found some similar issues. As I understood, this library will be updated to set valid type:

but for now, there are a couple of workarounds:

  • Add PubkeyAcceptedKeyTypes +ssh-rsa-cert-v01@openssh.com to ~/.ssh/config
  • Use different ssh key type: ssh-keygen -t ed25519
@pablo-ruth
Copy link
Contributor

Hello @tierpod,
Thanks for reporting this issue. I just hit the same problem on my laptop after upgrading Ubuntu to 22.04. My signmykey server is using Vault as a Signer backend and, like described in the Vault issue you linked, the certificate type is set to ssh-rsa-cert-v01@openssh.com too with my RSA key.
For the moment signmykey defaults to ~/.ssh/id_rsa.pub to get and sign the public key of the user. I'm thinking about searching for more "common" paths (~/.ssh/id_ecdsa and ~/.ssh/id_ed25519) and sign all keys found. It keeps the backward compatibility and at the same time allow using signmykey with new key types without explicitly configuring it in the config.
What are your thoughts about it ?

@tierpod
Copy link
Contributor Author

tierpod commented Aug 9, 2022

Actually it makes sense, according to man ssh:

-i identity_file
... The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and ~/.ssh/id_rsa.

If key is not set, we can search these files and sign all keys found.

Do you want me to investigate this and suggest PR? At first sight, it may take some time, because we have to deal with list of keys instead of one.

@pablo-ruth
Copy link
Contributor

Ok great, yes I'll happily let you submit a PR on this if you have time, and we will iterate on it since it will need many changes I think :)

@pablo-ruth
Copy link
Contributor

And feel free to rework complete functions and remove unnecessary code if needed.

@pablo-ruth
Copy link
Contributor

Hi @tierpod,

I just released v0.7.0 of signmykey with your PRs. So now we have support for multiple keys by default and warning message for the end user when they receive a certificate signed with a deprecated algorithm. Thanks again for your contribution :)

I keep this one open to keep track of the issue of the generated certificate type by signmykey signer. The specific issue on Go x/crypto/ssh seems to be here: golang/go#36261

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants