Hello, The CASignatureAlgorithms directive in ssh and sshd supports the following algorithms: ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ecdsa-sha2-nistp256@openssh.com webauthn-sk-ecdsa-sha2-nistp256@openssh.com ssh-rsa-cert-v01@openssh.com rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com Why are the *-cert-v01@openssh.com algorithms allowed here? This seems wrong to me as per documentation intermediate certificates aren't supported and I don't see how this would work then. They also aren't enabled by default.
To clarify: When only configuring one of the -cert algorithms with CASignatureAlgorithms, one gets an error, that the configuration is invalid, but when adding them alongside some other algorithm, they are supported. However, when signing a user certificate with an CA, ssh-keygen -L will always list the non -cert (the "normal" variant so to speak) as the algorithm behing "using" in the Signing CA. So e.g. for a ed25519 CA: Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA (using ssh-ed25519) I would not know how to get something that would then have: Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA (using ssh-ed25519-cert) As this algorithm in my understanding is the one
that can be controlled via CASignatureAlgorithms, it does not make sense to me, why these options are valid, if a key using this algorithm cannot be obtained. Moreover: having an option that is only valid alongside another option without any explanation is very confusing.
Created attachment 3700 [details] disallow certificate algorithms in CASignatureAlgorithms Certificate algorithms won't work when specified in CASignatureAlgorithms, but the option would incorrectly accepts them without error. This fixes that.
Thank you for the clarification and the patch! The patch indeed fixes the configuration-file behavior. It doesn't fix `ssh -Q CASignatureAlgorithms` still producing the wrong output, however. Also: You introduced a new variable ca_only that is true for CASignatureAlgorithms and false for all others. Shouldn't it then perhaps be named more something like no_ca, as CASignatureAlgorithms does not accept only ca alogrithms, but rather the exact opposite or what did I miss?
Created attachment 3701 [details] show only valid CA signing algorithms for -Q CASignatureAlgorithms > The patch indeed fixes the configuration-file behavior. It doesn't fix > `ssh -Q CASignatureAlgorithms` still producing the wrong output, however. Yeah, it was using the list of all signature algorithms. > Also: You introduced a new variable ca_only that is true for > CASignatureAlgorithms and false for all others. Shouldn't it then perhaps > be named more something like no_ca, as CASignatureAlgorithms does not > accept only ca alogrithms, but rather the exact opposite or what did I miss? ca_only = algorithms that are valid for CAs to sign certificates.
thanks for the report - these have both been committed and will be in OpenSSH 8.4, due in a few months.