Skip to content

Relax RSA signature check

Stan Hu requested to merge sh-relax-rsa-sig-check into master

Buggy SSH clients, such as gpg-agent v2.2.4 and OpenSSH v7.6 shipped in Ubuntu 18.04, may send ssh-rsa-512 as the public key algorithm but actually include a rsa-sha signature.

According to
A server MAY, but is not required to, accept this variant or another variant that corresponds to a good-faith implementation and is considered safe to accept.

We relax this constraint: if the SSH_MSG_USERAUTH_REQUEST message includes an RSA public key, then we allow any of the following signature types:

  • rsa-sha-512
  • rsa-sha-256
  • rsa-sha

This is what OpenSSH does.

Relates to

Edited by Stan Hu

Merge request reports