Relax RSA signature check (!9) · Merge requests · GitLab.org / golang-crypto

Stan Hu requested to merge sh-relax-rsa-sig-check into master Jun 15, 2022

Buggy SSH clients, such as gpg-agent v2.2.4 and OpenSSH v7.6 shipped in Ubuntu 18.04, may send ssh-rsa-512 as the public key algorithm but actually include a rsa-sha signature.

According to https://datatracker.ietf.org/doc/html/rfc8332#section-3.2:
A server MAY, but is not required to, accept this variant or another variant that corresponds to a good-faith implementation and is considered safe to accept.

We relax this constraint: if the SSH_MSG_USERAUTH_REQUEST message includes an RSA public key, then we allow any of the following signature types:

rsa-sha-512
rsa-sha-256
rsa-sha

This is what OpenSSH does.

Relates to https://github.com/golang/go/issues/53391

Edited Jun 15, 2022 by Stan Hu

Relax RSA signature check

Merge request reports