RE: Feedback on draft-ssh-ext-info-00

[Damien Miller <djm%mindrot.org@localhost>]

On Wed, 2 Dec 2015, Peter Gutmann wrote:

> Markus Friedl <mfriedl%gmail.com@localhost> writes:
> 
> >I'm in the process of implementing draft-rsa-dsa-sha2-256-03 and welcome a 
> >way for signaling SHA2 support to the client for userauth,
> 
> Doesn't the presence of "rsa-sha2-256" do this?  The client proposes it, and
> if the server supports it, they indicate via the algorithm string.  It's
> pretty much independent of draft-ssh-ext-info-00 (I know it specifies
> "server-sig-algs", but it seems that specifying "rsa-sha2-256" was already
> sufficient to indicate this).

The problem is that, for a client to test whether rsa-sha2-256 is supported,
it must make publickey userauth with an included signature. A
signature free PK_OK style request won't do since the key blob just
contains ssh-rsa and not the signature algorithm.

Making a signature-ful request means unwrapping the private key and,
depending on the implementation, burning an authentication attempt
at the server.

Even then, the client only gets back a USERAUTH_FAILURE that doesn't
indicate whether the attempt was refused because of the key itself,
additional restrictions on the key or because the signature algorithm
is not supported.

-d