Bug#991130: marked as done (Manpage: CASignatureAlgorithms mentions a wrong default)
Your message dated Wed, 23 Feb 2022 19:16:34 +0000
with message-id <YhaIEqSBL0XCI4l8@riva.ucam.org>
and subject line Re: Bug#991130: Manpage: CASignatureAlgorithms mentions a wrong default
has caused the Debian Bug report #991130,
regarding Manpage: CASignatureAlgorithms mentions a wrong default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
991130: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991130
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Manpage: CASignatureAlgorithms mentions a wrong default
- From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
- Date: Thu, 15 Jul 2021 08:35:29 +0200
- Message-id: <162633092969.30102.16425826185126039114.reportbug@x1.schlittermann.de>
Package: openssh-server
Version: 1:7.9p1-10+deb10u2
Severity: normal
Dear Maintainer,
on a current unreleased Debian bullseye (openssh-server 1:8.4p1-5)
the sshd_config(5) mentions the CASignatureAlgorithms
with a wrong default:
| CASignatureAlgorithms
| Specifies which algorithms are allowed for signing of certifi-
| cates by certificate authorities (CAs). The default is:
|
| ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
| ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
| Certificates signed using other algorithms will not be accepted
| for public key or host-based authentication.
The ssh-rsa algorithm is not in the default set of algorithms, as it
seems (tested with the above server version, after setting the
CASignatureAlgorithms options to the (mistakenly documented default),
SSH certificates with RSA signatures worked again.
This should be clearly stated in this section.
--- End Message ---
--- Begin Message ---
- To: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>, 991130-done@bugs.debian.org
- Subject: Re: Bug#991130: Manpage: CASignatureAlgorithms mentions a wrong default
- From: Colin Watson <cjwatson@debian.org>
- Date: Wed, 23 Feb 2022 19:16:34 +0000
- Message-id: <YhaIEqSBL0XCI4l8@riva.ucam.org>
- In-reply-to: <162633092969.30102.16425826185126039114.reportbug@x1.schlittermann.de>
- References: <162633092969.30102.16425826185126039114.reportbug@x1.schlittermann.de>
Source: openssh
Source-Version: 1:8.7p1-1
On Thu, Jul 15, 2021 at 08:35:29AM +0200, Heiko Schlittermann (HS12-RIPE) wrote:
> on a current unreleased Debian bullseye (openssh-server 1:8.4p1-5)
> the sshd_config(5) mentions the CASignatureAlgorithms
> with a wrong default:
>
> | CASignatureAlgorithms
> | Specifies which algorithms are allowed for signing of certifi-
> | cates by certificate authorities (CAs). The default is:
> |
> | ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
> | ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> |
> | Certificates signed using other algorithms will not be accepted
> | for public key or host-based authentication.
>
>
> The ssh-rsa algorithm is not in the default set of algorithms, as it
> seems (tested with the above server version, after setting the
> CASignatureAlgorithms options to the (mistakenly documented default),
> SSH certificates with RSA signatures worked again.
>
> This should be clearly stated in this section.
This was fixed in OpenSSH 8.6:
https://github.com/openssh/openssh-portable/commit/53ea05e09b
--
Colin Watson (he/him) [cjwatson@debian.org]
--- End Message ---
Reply to: