gpg-agent on Ubuntu 18.04 does not support rsa-sha2-512 and rsa-sha2-256 signature algorithms for SSH
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnupg2 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
On Ubuntu 18.04 with a Yubikey RSA key, we noticed SSH logins were failing when we switched our SSH server out from OpenSSH to a custom Golang SSH server.
We noticed that gpg-agent v2.2.6 fixes this problem via https:/
As described in https:/
```
byte SSH_MSG_
string user name
string service name
string "publickey"
boolean TRUE
string "rsa-sha2-512" <--- 1 - Public key algorithm name (algo) (https:/
string public key blob:
string "ssh-rsa" <--- 2 - Public key type (pubKey.Type())
mpint e
mpint n
string signature:
string "rsa-sha2-512" <--- 3 - Signature format (sig.Format)
string rsa_signature_blob
```
If a SSH server mandates that 1 and 3 match, the login will fail. OpenSSH is a bit more relaxed here in that as long as 3 is either `ssh-rsa`, `rsa-sha2-256`, or `rsa-sha2-512`, the signature verification is still allowed to proceed.
This problem occurs because while OpenSSH v7.6 supports these new algorithms, gpg-agent doesn't know about them, so it just passes along `ssh-rsa` in 3.