RE: Feedback on draft-ssh-ext-info-00
Damien Miller <djm@mindrot.org> Thu, 03 December 2015 00:59 UTC
Return-Path: <bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org>
X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E4031AD367 for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 2 Dec 2015 16:59:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gy-5W88o9rys for <ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com>; Wed, 2 Dec 2015 16:59:41 -0800 (PST)
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5695E1AD366 for <secsh-tyoxbijeg7-archive@lists.ietf.org>; Wed, 2 Dec 2015 16:59:41 -0800 (PST)
Received: by mail.netbsd.org (Postfix, from userid 605) id 4282185EB0; Thu, 3 Dec 2015 00:59:40 +0000 (UTC)
Delivered-To: ietf-ssh@netbsd.org
Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 6F0EF85E9E for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 00:59:38 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id ixcWN-eZzfvH for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 00:59:38 +0000 (UTC)
Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by mail.netbsd.org (Postfix) with ESMTP id 67C3A85E9A for <ietf-ssh@netbsd.org>; Thu, 3 Dec 2015 00:59:35 +0000 (UTC)
Received: from smtp1.soe.uq.edu.au (smtp1.soe.uq.edu.au [10.138.113.40]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id tB2NsRjq007474; Thu, 3 Dec 2015 09:54:27 +1000
Received: from mailhub.eait.uq.edu.au (hazel.eait.uq.edu.au [130.102.60.17]) by smtp1.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id tB2NsRub030545 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 3 Dec 2015 09:54:27 +1000
Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTP id tB2NsQSZ029310; Thu, 3 Dec 2015 09:54:26 +1000 (AEST)
Received: by natsu.mindrot.org (Postfix, from userid 1000) id C2807A4F32; Thu, 3 Dec 2015 10:54:26 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id C1E0CA4F30; Thu, 3 Dec 2015 10:54:26 +1100 (AEDT)
Date: Thu, 03 Dec 2015 10:54:26 +1100
From: Damien Miller <djm@mindrot.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
cc: Markus Friedl <mfriedl@gmail.com>, "ietf-ssh@netbsd.org" <ietf-ssh@netbsd.org>
Subject: RE: Feedback on draft-ssh-ext-info-00
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73F4B9722B@uxcn10-5.UoA.auckland.ac.nz>
Message-ID: <alpine.BSO.2.20.1512031049470.12629@natsu.mindrot.org>
References: <alpine.BSO.2.20.1512022156200.12629@natsu.mindrot.org>, <E61137AC-8E9A-45CE-A68F-422F5BE319DA@gmail.com> <9A043F3CF02CD34C8E74AC1594475C73F4B9722B@uxcn10-5.UoA.auckland.ac.nz>
User-Agent: Alpine 2.20 (BSO 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub
X-Scanned-By: MIMEDefang 2.75 on 130.102.60.17
X-UQ-FilterTime: 1449100467
Sender: ietf-ssh-owner@NetBSD.org
List-Id: ietf-ssh.NetBSD.org
Precedence: list
On Wed, 2 Dec 2015, Peter Gutmann wrote: > Markus Friedl <mfriedl@gmail.com> writes: > > >I'm in the process of implementing draft-rsa-dsa-sha2-256-03 and welcome a > >way for signaling SHA2 support to the client for userauth, > > Doesn't the presence of "rsa-sha2-256" do this? The client proposes it, and > if the server supports it, they indicate via the algorithm string. It's > pretty much independent of draft-ssh-ext-info-00 (I know it specifies > "server-sig-algs", but it seems that specifying "rsa-sha2-256" was already > sufficient to indicate this). The problem is that, for a client to test whether rsa-sha2-256 is supported, it must make publickey userauth with an included signature. A signature free PK_OK style request won't do since the key blob just contains ssh-rsa and not the signature algorithm. Making a signature-ful request means unwrapping the private key and, depending on the implementation, burning an authentication attempt at the server. Even then, the client only gets back a USERAUTH_FAILURE that doesn't indicate whether the attempt was refused because of the key itself, additional restrictions on the key or because the signature algorithm is not supported. -d
- Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- RE: Feedback on draft-ssh-ext-info-00 Peter Gutmann
- RE: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- RE: Feedback on draft-ssh-ext-info-00 Peter Gutmann
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- Re: Feedback on draft-ssh-ext-info-00 Markus Friedl
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Updated EXT_INFO draft - draft-ssh-ext-info-02 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Feedback on draft-ssh-ext-info-00 Damien Miller
- RE: Feedback on draft-ssh-ext-info-00 Peter Gutmann
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Matt Johnston
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 denis bider
- Re: Updated EXT_INFO draft - draft-ssh-ext-info-02 Niels Möller
- Re: Feedback on draft-ssh-ext-info-00 Niels Möller