Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>OpenSSH in general does not; I have connected and do connect to plenty of
>OpenSSH boxen with no MTI trouble at all.

It's not just the keyex, there are other MTIs as well.  In particular the
trace I posted doesn't have any of the MTI cipher modes...

>Because the host key is used to sign the kex hash, and it's an ssh-rsa key,
>so its signatures are defined to use SHA-1.

Not necessarily.  There was discussion about this on the list some years ago,
the problem is that there are three different (redundant) locations where the
key/sig type is specified, the outcome was that rsa-sha2-256 overrides the
more generic ssh-rsa if it's used somewhere.  In other words "ssh-rsa" is just
generic RSA, and then the more specific rsa-sha2-256 is explicitly RSA with
SHA-2 if you want that.

>I should go looking for specs to implement rsa-sha2-256 and rsa-sha2-512; I
>was not previously aware they existed....)

"Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol",
RFC 8332.  The draft also explains the rsa-sha2-256 vs. ssh-rsa convention.

Peter.