Re: Feedback on draft-ssh-ext-info-00

To: Damien Miller <djm%mindrot.org@localhost>
Subject: Re: Feedback on draft-ssh-ext-info-00
From: Markus Friedl <mfriedl%gmail.com@localhost>
Date: Thu, 3 Dec 2015 09:55:50 +0100

Am 03.12.2015 um 00:54 schrieb Damien Miller <djm%mindrot.org@localhost>:

The problem is that, for a client to test whether rsa-sha2-256 is supported,
it must make publickey userauth with an included signature. A
signature free PK_OK style request won't do since the key blob just
contains ssh-rsa and not the signature algorithm.

For PK_OK the format is:

string pkalg = { ssh-rss | rsa-sha2-512 }

string keyblob

so the server can tell the difference without having an actual signature.

However, many severs count these PK_OK checks as an authentication

error, so looping over possible signature encodings will break setups.

-m

References:
- Feedback on draft-ssh-ext-info-00
  - From: Damien Miller
- Re: Feedback on draft-ssh-ext-info-00
  - From: Markus Friedl
- RE: Feedback on draft-ssh-ext-info-00
  - From: Peter Gutmann
- RE: Feedback on draft-ssh-ext-info-00
  - From: Damien Miller

Prev by Date: Re: Feedback on draft-ssh-ext-info-00
Next by Date: Re: Feedback on draft-ssh-ext-info-00
Previous by Thread: Re: Feedback on draft-ssh-ext-info-00
Next by Thread: Re: Feedback on draft-ssh-ext-info-00
Indexes:

Home | Main Index | Thread Index | Old Index