Ability to sign SSH certificate with SHA2

Question

Ability to sign SSH certificate with SHA2

Aniderhofer opened this issue 4 years ago · 4 comments

Hello

I would like to add into Bless the support to sign the SSH certificates with a SHA2 algorithm , more specifically RSA-SHA2 512.
SSH certificate signed with SHA2 algorithm is supported and recommended by default since OpenSSH 8.2 release https://www.openssh.com/txt/release-8.2

I have created a POC using the Bless SSH sign code, successfully signing with RSA SHA2 512.
would love to contribute my work to Bless.

Thanks
Albert

Answer 1 · 2020-11-19T16:15:10.000Z

Hi Albert, i am developing a refactor of Bless with more features like audit, external authorization module, more handle of exceptions and i would like support SHA2 512, you can share it?

Answer 2 · 2020-12-02T19:27:34.000Z

Se here the fix:

https://github.com/albertniderhofer/bless/commits/sha-2

Answer 3 · 2021-03-15T21:45:17.000Z

https://github.com/certonid/certonid (min version 0.7.0) support rsa-sha2-256 algorithm, which works with latest openssh.

Answer 4 · 2021-06-22T18:52:00.000Z

Thanks @albertniderhofer your commit was immensely helpful. We've made some small changes to your commit: lyft#49

Primarily decoupling the public key type from the signing type. Otherwise, your original commit will change the public key from ssh-rsa to rsa-sha2-512. The public key shouldn't be changing, only the signature. Surprisingly you'll be able to use the generated cert (tested using ssh -i [cert] [server]), but certain clients wont be able to parse the public key (eg golang ssh's ParseAuthorizedKey) .