Bug#998619: openssh-server: server-sig-algs
Package: openssh-server
Version: 1:8.4p1-5
Severity: normal
X-Debbugs-Cc: rafael_zzl@yahoo.com.br
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
after changing all keys and keyex on sshd_config values so that sshd uses only "curve25519" algs, running "sshd -T" show everything allright but when connecting i get:
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
* What exactly did you do (or not do) that was effective (or
ineffective)?
sshd_config:
kexalgorithms curve25519-sha256
hostbasedacceptedkeytypes ssh-ed25519
hostkeyalgorithms ssh-ed25519
pubkeyacceptedkeytypes ssh-ed25519
ciphers chacha20-poly1305@openssh.com
HostKey /etc/ssh/ssh_host_ed25519_key
casignaturealgorithms ssh-ed25519
macs hmac-sha2-512-etm@openssh.com
gssapikexalgorithms gss-curve25519-sha256-
Port 22
AddressFamily inet
SyslogFacility AUTHPRIV
LogLevel INFO
LoginGraceTime 15s
PermitRootLogin yes
StrictModes yes
MaxAuthTries 2
MaxSessions 5
ubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
AuthorizedPrincipalsFile none
AuthorizedKeysCommand none
AuthorizedKeysCommandUser nobody
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no
PermitTTY yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
Compression delayed
Subsystem sftp /usr/libexec/openssh/sftp-server
output of "sshd -T":
port 22
addressfamily inet
listenaddress 0.0.0.0:22
usepam yes
logingracetime 15
x11displayoffset 10
maxauthtries 2
maxsessions 5
clientaliveinterval 0
clientalivecountmax 3
streamlocalbindmask 0177
permitrootlogin yes
ignorerhosts yes
ignoreuserknownhosts yes
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapicleanupcredentials yes
gssapikeyexchange no
gssapistrictacceptorcheck yes
gssapistorecredentialsonrekey no
gssapikexalgorithms gss-curve25519-sha256-
passwordauthentication no
kbdinteractiveauthentication no
challengeresponseauthentication no
printmotd no
printlastlog yes
x11forwarding no
x11uselocalhost yes
permittty yes
permituserrc yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
compression yes
gatewayports no
usedns no
allowtcpforwarding no
allowagentforwarding no
disableforwarding no
allowstreamlocalforwarding yes
streamlocalbindunlink no
fingerprinthash SHA256
exposeauthinfo no
pidfile /run/sshd.pid
xauthlocation /usr/bin/xauth
ciphers chacha20-poly1305@openssh.com
macs hmac-sha2-512-etm@openssh.com
banner none
forcecommand none
chrootdirectory none
trustedusercakeys none
revokedkeys none
securitykeyprovider internal
authorizedprincipalsfile none
versionaddendum none
authorizedkeyscommand none
authorizedkeyscommanduser nobody
authorizedprincipalscommand none
authorizedprincipalscommanduser none
hostkeyagent none
kexalgorithms curve25519-sha256
casignaturealgorithms ssh-ed25519
hostbasedacceptedkeytypes ssh-ed25519
hostkeyalgorithms ssh-ed25519
pubkeyacceptedkeytypes ssh-ed25519
loglevel INFO
syslogfacility AUTHPRIV
authorizedkeysfile .ssh/authorized_keys
hostkey /etc/ssh/ssh_host_ed25519_key
authenticationmethods any
subsystem sftp /usr/libexec/openssh/sftp-server
maxstartups 10:30:100
permittunnel no
ipqos lowdelay throughput
rekeylimit 0 0
permitopen any
permitlisten any
permituserenvironment no
pubkeyauthoptions none
* What was the outcome of this action?
yet cant get "server-sig-algs" to ssh-ed25519 only.
* What outcome did you expect instead?
server-sig-algs server offers changed from:
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
to:
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519>
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-9-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.77
ii dpkg 1.20.9
ii libaudit1 1:3.0-2
ii libc6 2.31-13+deb11u2
ii libcom-err2 1.46.2-2
ii libcrypt1 1:4.4.18-4
ii libgssapi-krb5-2 1.18.3-6+deb11u1
ii libkrb5-3 1.18.3-6+deb11u1
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpam0g 1.4.0-9+deb11u1
ii libselinux1 3.1-3
ii libssl1.1 1.1.1k-1+deb11u1
ii libsystemd0 247.3-6
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii openssh-client 1:8.4p1-5
pn openssh-sftp-server <none>
ii procps 2:3.3.17-5
ii runit-helper 2.10.3
ii ucf 3.0043
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 247.3-6
pn ncurses-term <none>
ii xauth 1:1.1-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
ii ssh-askpass 1:1.2.4.1-10+b1
pn ufw <none>
Reply to: