Bug 7306 - client doesn't support sha256/sha512 smart card authentication
Summary: client doesn't support sha256/sha512 smart card authentication
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Target Milestone: 4.10.0
Assignee: Pierre Ossman
Keywords: prosaic
Depends on:
Reported: 2019-01-15 13:40 CET by Pierre Ossman
Modified: 2019-02-18 11:18 CET (History)
1 user (show)

See Also:
Acceptance Criteria:
* ThinLinc should support smart card authentication using the rsa-sha2-256 and rsa-sha2-512 algorithms and not just ssh-rsa


Description Pierre Ossman cendio 2019-01-15 13:40:40 CET
Broken out from comment #14 on bug 7117:

I'm getting messages like these in the client log after upgrade.

> 2019-01-14T10:26:31: ssh[E]: agent key RSA SHA256:aU1P4ry5nwnNZ7Aa80y7/YajBHgkY8cSf/x+pHkLVTE returned incorrect signature type

They don't seem to interfere with session startup. Probably related to this:

>  * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
>    a rsa-sha2-256/512 signature was requested. This condition is possible
>    when an old or non-OpenSSH agent is in use. bz#2799

...that would indicate a bug in our ssh-agent implementation.
Comment 1 Pierre Ossman cendio 2019-01-15 13:46:20 CET
This doesn't seem to be a bug, rather than us not supporting the latest features. Our behaviour is the same as an older OpenSSH agent (which is hinted at in the warning).

However it seems like they did not add any handshake mechanism when they added this new feature, so not supporting this new feature does seem risky.

They've defined some new flags for the signature operation here:


It is based on this new RFC:


For reference, it seems like the current OpenSSH agent still ignores any unknown flags. So we probably can't play it safe and refuse unknown flags as a way of future proofing things.
Comment 4 Pierre Ossman cendio 2019-01-23 13:19:07 CET
Works well now.

Tester should verify that all three algorithms work without errors.

To switch you have to modify ~/.thinlinc/config and adjust the setting PubkeyAcceptedKeyTypes:

> PubkeyAcceptedKeyTypes -rsa-sha2-512

Reconfiguring the server is unfortunately buggy, so it has to be done in the client.
Comment 5 Peter Åstrand cendio 2019-02-18 11:18:37 CET
Works. Tested with:

PubkeyAcceptedKeyTypes rsa-sha2-256


PubkeyAcceptedKeyTypes rsa-sha2-512

...against tl.cendio.se. Also tested "ssh-rsa" against eudemo.thinlinc.com.

Tested using Linux client 4.9.0post build 6045 on CentOS 7.

Note You need to log in before you can comment on or make changes to this bug.