gitlab-sshd: Update crypto module to fix RSA keys with old gpg-agent (!662) · Merge requests · GitLab.org / gitlab-shell

Stan Hu requested to merge sh-update-crypto-lib into main Jun 14, 2022

When we put gitlab-sshd in production, we noticed a number of clients using RSA keys would fail to login. The server would report:

ssh: signature "ssh-rsa" not compatible with selected algorithm "rsa-sha2-512"

This is reproducible on Ubuntu 18.04, which ships gpg-agent v2.2.4 and OpenSSH v7.6. That version of gpg-agent does not support rsa-sha2-256 or rsa-sha2-512, but OpenSSH does. As a result, OpenSSH specifies rsa-sha-512 as the public key algorithm to use in the user authentication request message, but gpg-agent includes an ssh-rsa signature. OpenSSH servers tolerates this discrepancy, but the Go implementation fails because it expects a strict match.

This commit pulls in golang-crypto!9 (merged) to fix the problem.

Relates to:

https://github.com/golang/go/issues/53391
#587 (closed)

Edited Jun 16, 2022 by Stan Hu

gitlab-sshd: Update crypto module to fix RSA keys with old gpg-agent

Merge request reports