vault-plugin-auth-ssh icon indicating copy to clipboard operation
vault-plugin-auth-ssh copied to clipboard
verified publisher icon 42wim

Bad support for sha256 / sha512 signature

Open 131 opened this issue 9 months ago • 0 comments

In fedora 41, sha1 signature in agent are deprecated.

The ssh-agent will deny signing ssh-rsa (sha1) in the key exchange.

Yet, in this module, the pubkey Type (ssh-rsa) will be forced to verify against sha1.

  • see https://cs.opensource.google/go/x/crypto/+/master:ssh/common.go;l=96?q=hashFuncs&sq=&ss=go%2Fx%2Fcrypto
  • see https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.36.0:ssh/keys.go;l=487

You should allow to explicitly specify the algo (negociated between the client & the server) & forwarded to the agent AND THEN relayed to you, for the "verifySignature" to work in all cases.


path_login.go
	algo := data.Get("algo").(string) // + with sha1 default

ssh.go
  verifySignature(pubkey ssh.PublicKey, nonce, signature []byte, algo )

131 avatar Mar 20 '25 11:03 131