ssh-tpm-agent icon indicating copy to clipboard operation
ssh-tpm-agent copied to clipboard
verified publisher icon Foxboron

SHA-512 is not a supported hashing algorithm

Open sevenrats opened this issue 1 year ago • 4 comments

I migrated a working install to a newer machine, replaced the tpm keys, and sshd comes up fine, but I get the "send_disconnect" error no matter how I try to connect ( the server is up and accepts a password though.) checking the ssh-tpm-agent logs shows INFO "agent 13: SHA-512 is not a supported hashing algorithm" right after "signwithflags" is called. shuttdown down the tpm agent and removing its sshd config causes connections to resume.

sevenrats avatar Jul 24 '24 20:07 sevenrats

This is known.

TPMs doesn't really support SHA-512 and for this to work I need to implement the signing operation on another layer.

Foxboron avatar Jul 24 '24 20:07 Foxboron

How do I work around in the meantime? is this an openssh version problem? can I change a setting somewhere?

sevenrats avatar Jul 24 '24 20:07 sevenrats

You need to remove rsa-sha2-512 as a valid signature algorithm. I can't remember from the top of my head how you do this.

Foxboron avatar Jul 24 '24 20:07 Foxboron

easier to just delete the RSA hostkey in my case.

sevenrats avatar Jul 24 '24 20:07 sevenrats

Been working out this support for RSA keys lately. The WIP patch solves this, but I need to clean this up as I'm borrowing code form the Go stdlib.

https://github.com/Foxboron/go-tpm-keyfiles/commit/7c417ef54dded774b57bed1415aa4bdc7665cfab

Foxboron avatar Nov 29 '24 15:11 Foxboron

I've pushed the implementation from go-tpm-keyfiles and it should work. Will be part of the next release.

Foxboron avatar Mar 16 '25 17:03 Foxboron