Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1666802 - logging in with rsa cert doesn't appear to work
Summary: logging in with rsa cert doesn't appear to work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: crypto-policies
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.1
Assignee: Tomas Mraz
QA Contact: Simo Sorce
URL:
Whiteboard:
Depends On: 1665611 1682515
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-16 15:19 UTC by Jakub Jelen
Modified: 2020-11-14 14:47 UTC (History)
5 users (show)

Fixed In Version: crypto-policies-20190613-1.git21ffdc8.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1665611
Environment:
Last Closed: 2019-11-05 22:33:24 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab redhat-crypto/fedora-crypto-policies/merge_requests/35 0 None None None 2019-01-16 15:19:32 UTC
Red Hat Product Errata RHBA-2019:3644 0 None None None 2019-11-05 22:33:40 UTC

Description Jakub Jelen 2019-01-16 15:19:32 UTC 
+++ This bug was initially created as a clone of Bug #1665611 +++

[...]

--- Additional comment from Jakub Jelen on 2019-01-16 16:06:05 CET ---

I can reproduce the same problem. It really looks like a bug in crypto policy. I probably initially forgot to include the sha2 variants (they are not listed in `ssh -Q key`). Even though the log says it is plain rsa certificate, when I dumped what is actually being compared to what, I figured out it is really the SHA2 signature already, which was missing in the list from the crypto policy.

userauth_pubkey: pkalg=<rsa-sha2-512-cert-v01> PubkeyAcceptedKeyTypes=<rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01,rsa-sha2-512,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01,ssh-ed25519,ssh-ed25519-cert-v01,ssh-rsa,ssh-rsa-cert-v01> [preauth]

I filled the following pull request resolving this upstream:

https://gitlab.com/redhat-crypto/fedora-crypto-policies/merge_requests/35

And I reassign the bug to crypto policies.
Comment 2 Tomas Mraz 2019-01-17 09:48:33 UTC 
I do not think this is that common. Also I do not see it would "lock out" someone unexpectedly. It would not work from start. For that reason I think this can be safely postponed to 8.1.
Comment 13 Simo Sorce 2019-07-08 16:18:16 UTC 
Verified via CI: https://baseos-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ci-openstack/29584//console

[10.0.132.116        ] T:       4 [OS/openssh/Sanity/public-key-authentication] Running
[10.0.132.116        ] 1562575718 [Setup                                      ] PASS Score: 0
[10.0.132.116        ] 1562575719 [ng-user-certificates-with-SHA-256-signature] PASS Score: 0
[10.0.132.116        ] 1562575720 [ng-user-certificates-with-SHA-512-signature] PASS Score: 0
[10.0.132.116        ] 1562575721 [o-for-user-certificate-with-SHA-2-signature] PASS Score: 0
[10.0.132.116        ] 1562575722 [ng-host-certificates-with-SHA-256-signature] PASS Score: 0
[10.0.132.116        ] 1562575723 [Cleanup                                    ] PASS Score: 0
Comment 17 errata-xmlrpc 2019-11-05 22:33:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3644
Note You need to log in before you can comment on or make changes to this bug.