Add support for RFC8332 (rsa-sha2-512 and rsa-sha2-256) #536
Comments
|
@willco007 Can you look into this? I verified both the java ssh library and the original libssh support this but couldn't do so for this library. |
|
@WSLUser My time is very limited at the moment, but I do have an outstanding issue on our own internal tracker about supporting these key types so there is hope. :) I would recommend ec keys for the time being. |
|
It's the same keys, just different algorithm. ssh-rsa uses sha-1, which is now considered insecure. The RFC introduced a sha2 variant that works with existing keys. Problem with this library is that it doesn't permit using the newer algorithm with the existing key. Based on the implementation I saw in the java ssh library, it shouldn't be terribly difficult to add support for but is beyond my personal experience to implement. |
willco007
changed the title
willco007
changed the title
|
I have an implementation working on my private fork. We'll give a once over and land it soon-ish. Thanks for the report! |
WSLUser
changed the title
WSLUser
changed the title
|
@willco007 Now the holidays are finishing up, can you pick this back up with the once over? Love to see these get added before the next release of libssh2! |
|
This patch just went through my QA department and looks good to go. I will try and get it merged in next week time permitting. |
|
Friendly reminder. I see it hasn't been added yet but you're throwing up other PRs. Want to be sure this isn't missed. |
|
Ping! Any progress? |
|
Sorry but my time is very limited at the moment. The plan is to get 1.9.1 out the door and then circle back around to adding this. |
|
Hey, I'm on the Git Protocols team at GitHub, and we're responsible for the service that terminates and serves Git connections, including connections over SSH. We're in the process of planning some changes to the algorithms we support over SSH. Specifically, we're looking into getting rid of most support for SHA-1, since it's dangerously weak. This includes, tentatively, prohibiting newly added RSA keys from using SHA-1, but allowing existing RSA keys to continue using it. libssh2 is one of the largest clients we see still using RSA with SHA-1, and it would be great if it were possible for it to support RSA with SHA-256 and SHA-512. I realize that libssh2 offers other algorithms which are secure, but users may wish to use RSA keys in the future. We're still looking at options and we'll announce plans more openly when we're more definitive on them, but we wanted to reach out on this issue and inform you of our current intentions. We realize your time is limited, so we wanted to give you as much advance notice as possible. Feel free to let me know if you have any questions. |
|
PR is pending for the OpenSSL backend. If anyone is interested it'd be great to get some eyes on it once it passes CI. |
Notes: * Host Key RSA 256/512 support #536 * Client side key hash upgrading for RFC 8332 * Support for server-sig-algs, ext-info-c server messages * Customizing preferred server-sig-algs via the preference LIBSSH2_METHOD_SIGN_ALGO Credit: Anders Borum, Will Cosgrove
|
Hello. Thank you so much for maintaining this library! As you can probably guess, I maintain software that uses libssh2 to talk to Github and am curious when you plan to release this update? No rush, but your estimate would weigh on our discussion to either carry patches vs just wait for a regular release. |
|
To tag onto Justin's comment above with some testing results: we found that a build of 1.10.0 with the changeset in /libssh2/libssh2@64a555d6f5aafed504a10e5b756e85c91b1d56ce restored the ability of libgit2 to communicate with GitHub over SSH using RSA keys during yesterday's brownout of SHA-1 support. GitHub plans to drop SHA-1 permanently on March 15th as mentioned by @bk2204 . It looks like there are other relevant patches in the post-1.10.0 history that fix some memory issues and a tagged release would roll those up. |
|
Let's get a release out. Whenever @willco007 feels it's a good time really. |
|
@bagder We're in good shape, I was thinking of landing the banner PR, if you want to take a look and land it (?), before the release since people have wanted it for years now. The rest can wait given this should roll out sooner rather than later. |
|
ok, I'll take #610 for a spin first thing tomorrow |
|
I landed two Agent fixes for sha2 upgrading yesterday/today. Those changes should conclude work on this feature when using the OpenSSL backend. Other backends need to do a small bit of work to get this feature; hopefully someone using them will pick up the torch. |
|
Do you have an ETA on a release with this fix? We just want to know if we should ship our own build in our upcoming release. |
|
@justinstoller I would say soon, maybe by late next week. We're looking at one last PR which is pretty much done and then we need to wrap up the release notes, etc. There have been a couple straggling bugs that have come in so we need to make sure they are flushed out before general release. |
|
Is there still a release version for this in the works? |
|
Hi, This support of rsa-sha2-512 and rsa-sha2-256 seems to be important to connect to recent OS having updated their crypto policies (for example RHEL 9, most likely others). It seems it's committed in the master branch, but not released yet. Do you know already when a new libssh2 release will be cut ? Cheers, |
|
I maintain the libgit2 bindings for the R programming language, and we also have many users asking for this. As there is no release happening, I am planning to just vendor the current master branch of libssh2 into my libgit2 build. From the people that have tested this, does master seem stable, or are there potential regressions? |
|
does libssh2 support for rsa-sha2-512 and rsa-sha2-256. |
|
Looks like SHA-2 support has landed in libssh2 1.11.0 on 2023-05-30 and this ticket could be closed (https://libssh2.org/changes.html#1.11.0). |
OpenSSH 8.8 turns off the hostkey algorithm 'ssh-rsa' by default. See: https://www.openssh.com/txt/release-8.8 Unfortunately, libssh2 (and therefore libgit2) do not yet support the newer sha2-based ssh hostkey algorithms. See upstream issue: libssh2/libssh2#536 This explicitly re-enables ssh-rsa on the sshd that is spun up for testing to ensure that libgit2 can handshake with it again.
Describe the bug
A clear and concise description of what the bug is.
An application using this library is unable to connect to a couple hosts due to switching to ssh-rsa-sha2 and dropping ssh-rsa (which is considered insecure).
To Reproduce
Steps to reproduce the behavior.
Use an application that makes use of this library on a host that supports OpenSSH 7.2 or newer. The hosts I used are on Fedora 31, which uses OpenSSH 8.1.
A recipe or example code that reproduces the problem? A stack trace from a crash
Expected behavior
A clear and concise description of what you expected to happen.
I expect the ability to harden my ssh configuration without losing ability to connect to hosts with an application due to
the underlying ssh library.
Version (please complete the following information):
Additional context
Add any other context about the problem here.
See https://tools.ietf.org/html/rfc8332 as linked in https://www.openssh.com/specs.html
Also see https://github.com/jtesta/ssh-audit to see what should be supported from a hardening perspective.
The text was updated successfully, but these errors were encountered: