bless icon indicating copy to clipboard operation
bless copied to clipboard
verified publisher icon Netflix

Ability to sign SSH certificate with SHA2

Open Aniderhofer opened this issue 5 years ago • 4 comments

Hello

I would like to add into Bless the support to sign the SSH certificates with a SHA2 algorithm , more specifically RSA-SHA2 512. SSH certificate signed with SHA2 algorithm is supported and recommended by default since OpenSSH 8.2 release https://www.openssh.com/txt/release-8.2

I have created a POC using the Bless SSH sign code, successfully signing with RSA SHA2 512. would love to contribute my work to Bless.

Thanks Albert

Aniderhofer avatar Jul 22 '20 10:07 Aniderhofer

Hi Albert, i am developing a refactor of Bless with more features like audit, external authorization module, more handle of exceptions and i would like support SHA2 512, you can share it?

lpcalisi avatar Nov 19 '20 16:11 lpcalisi

Se here the fix:

https://github.com/albertniderhofer/bless/commits/sha-2

albertniderhofer avatar Dec 02 '20 19:12 albertniderhofer

https://github.com/certonid/certonid (min version 0.7.0) support rsa-sha2-256 algorithm, which works with latest openssh.

le0pard avatar Mar 15 '21 21:03 le0pard

Thanks @albertniderhofer your commit was immensely helpful. We've made some small changes to your commit: https://github.com/lyft/bless/pull/49

Primarily decoupling the public key type from the signing type. Otherwise, your original commit will change the public key from ssh-rsa to rsa-sha2-512. The public key shouldn't be changing, only the signature. Surprisingly you'll be able to use the generated cert (tested using ssh -i [cert] [server]), but certain clients wont be able to parse the public key (eg golang ssh's ParseAuthorizedKey) .

skiptomyliu avatar Jun 22 '21 18:06 skiptomyliu