Sign SSH keys using rsa-sha2-256 algorithm

[mtorromeo]

Since version 8.2 of openssh the ssh-rsa algorithm is considered insecure and has been removed [1]

With this commit I changed the signing algorithm to rsa-sha2-256

Note that the implementation is not ideal since x/crypto/ssh does not provide a simple method to sign a certificate with an arbitrary algorithm. There's an open issue for that: golang/go/issues/36261.

Note that rsa-sha2-256 is supported since openssh 7.2 so the choice at the moment seems to be between supporting future clients or older ones, which is unfortunate, at least wihout changing vault's api.

It seems that Debian versions <= 8 and RHEL <= 6 do not use a compatible version of openssh.

I tested this on Arch Linux (patch backported to v1.3.2), which already ships openssh 8.2 and it works fine.

[1] https://www.openssh.com/txt/release-8.2

[hashicorp-cla]

All committers have signed the CLA.

[catsby]

Fixes #8414

[grahamc]

I've tested this, and it works nicely. I didn't have to recreate my ca or private keys, just re-sign them. Thanks!

[andreaso]

Can confirm that it works nicely for me as well, using this patch to build on top of the 1.4.1 release.

Much appreciated. Thank!

[grahamc]

I wonder if somebody on the project has some feedback on this PR, about ways they don't care for it -- but haven't written down yet?

[ncabatoff]

Thank you for the PR @mtorromeo. I would prefer not to break backwards compatibility. Unfortunately I'm not very familiar with the ssh backend, so I'm not sure what the best approach is. Would it make sense to add a role option to specify the signing algorithm?

[grahamc]

That would probably make sense, though I have a deep fear of any deployments of openssh older than 2011 (incorrect: openssh added support for it in 7.2, 2016.)

Note: the signing algorithm should probably default to sha-2, since:

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the "ssh-rsa" public key signature algorithm that depends
on SHA-1 by default in a near-future release.

and insecure-by-default is pretty rough.

[ncabatoff]

Note: the signing algorithm should probably default to sha-2, since:

I'm fine with newly created roles getting sha-2 (assuming we make it a role option). I'm less convinced we should retroactively change the behaviour of existing roles, but I'm willing to listen.

[mtorromeo]

Would it make sense to add a role option to specify the signing algorithm?

I guess that would be a valid method to allow to choose a signing algorithm. I am not familiar enough with the vault codebase or with the go language and this was the only fix I could propose.

[ncabatoff]

I opened a new PR based on this one that incorporates the config stuff. I haven't tested it. @mtorromeo how would you like to proceed? We can close this PR and I can work on getting #9096 merged instead. Or if you'd like to learn more about Vault and Go, you can copy what I did into this PR, test that it works, and I'll close mine.

[mtorromeo]

It's fine to go ahead with your OR, thanks! I did take a look at it for curiosity but, honestly, I'm already handling too many things at the moment :)

[ncabatoff]

Ok, I'll close this one and proceed with #9096. Thanks again for getting this started!

[efazati]

Is this ticket fixed? because still when I'm singing my key with Hashicorp Vault Server, I get the same error

Jul 10 13:42:31 xxx sshd[1974]: userauth_pubkey: certificate signature algorithm ssh-rsa: signature algorithm not supported [preauth]

I changed the ssh-client-signer key with rsa-sha2-512 and rsa-sha2-256 but still I get the same result from my ssh server

This is my details:

OpenSSH_8.2p1 Ubuntu-4, OpenSSL 1.1.1f  31 Mar 2020
Ubuntu 20.04
Vault 1.4.3

[HammerZ3it]

Hi @efazati

I don't know if you fixed your issue but I faced the same one.
If you have consul as a backend it might be the same as I had.

I had to restart my consul.service on my vault server. I didn't figure it why yet but I am working on it.

Hope it helps.

Regards,

[con-f-use]

I get the same problem now, running vault 1.8.2

@efazati

I changed the ssh-client-signer key with rsa-sha2-512 and rsa-sha2-256 but still I get the same result from my ssh server

How did you do that?
How did you do that?