Broken out from comment #14 on bug 7117:
I'm getting messages like these in the client log after upgrade.
> 2019-01-14T10:26:31: ssh[E]: agent key RSA SHA256:aU1P4ry5nwnNZ7Aa80y7/YajBHgkY8cSf/x+pHkLVTE returned incorrect signature type
They don't seem to interfere with session startup. Probably related to this:
> * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
> a rsa-sha2-256/512 signature was requested. This condition is possible
> when an old or non-OpenSSH agent is in use. bz#2799
...that would indicate a bug in our ssh-agent implementation.
This doesn't seem to be a bug, rather than us not supporting the latest features. Our behaviour is the same as an older OpenSSH agent (which is hinted at in the warning).
However it seems like they did not add any handshake mechanism when they added this new feature, so not supporting this new feature does seem risky.
They've defined some new flags for the signature operation here:
It is based on this new RFC:
For reference, it seems like the current OpenSSH agent still ignores any unknown flags. So we probably can't play it safe and refuse unknown flags as a way of future proofing things.
Works well now.
Tester should verify that all three algorithms work without errors.
To switch you have to modify ~/.thinlinc/config and adjust the setting PubkeyAcceptedKeyTypes:
> PubkeyAcceptedKeyTypes -rsa-sha2-512
Reconfiguring the server is unfortunately buggy, so it has to be done in the client.
Works. Tested with:
...against tl.cendio.se. Also tested "ssh-rsa" against eudemo.thinlinc.com.
Tested using Linux client 4.9.0post build 6045 on CentOS 7.