Hi,
I thought I could restrict further my sshd_config regarding
PubkeyAcceptedAlgorithms. I've one user where I can't use another key
type than rsa. I added a `Match User whatever` and since I wasn't sure
about which thingy I needed from `ssh -Q PubkeyAcceptedAlgorithms |
grep rsa | grep -v cert`, I put an unrelated to algo with
PubkeyAcceptedAlgorithms and checked the logs.
It said "userauth_pubkey: key type ssh-rsa not in
PubkeyAcceptedAlgorithms [preauth]"
I replaced the PubkeyAcceptedAlgorithms setting, except it still didn't
work. Eventually, I tried them one by one and found out rsa-sha2-512
is the one I needed.
It's unfortunate the log doesn't give the right one.
I went into the code to check. In sshkey.c there is
113 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 },
114 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 },
115 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 },
Since they all share "KEY_RSA", I assume there's no way to differentiate
one 'subtype' vs another?
(I'm using -current but I doubt it matters).
Cheers,
Daniel
