Support for new RSA SHA2 host key types in LSBSSH2_METHOD_HOSTKEYS method
rwsmith61 opened this issue · 4 comments
I need to query the hostkeys types of all our network devices to find any that are still using the now deprecated RSA SHA1 hostkeys. Currently if I query using $ssh->method(LIBSSH2_METHOD_HOSTKEY)
, and per the Net::SSH2 documentation, I only get returned either of values: "ssh-rsa" or "ssh-dsa."
I need to get the latest RSA hostkey types as per the latest OpenSSH: "rsa-sha2-256" or "rsa-sha2-512" (and/or any others that have been added in the past few years).
@salva can you take care of this, I'm being prevented by the US government from doing anything right now.
Update: I have tried two different methods
-
setting
$ssh->method(LIBSSH2_METHOD_HOSTKEY, qw(ssh-dss))
or even$ssh->method(LIBSSH2_METHOD_HOSTKEY, qw(ssh-dss rsa-sha2-256 rsa-sha2-512))
(no effect for last two words) to eliminatessh-rsa
and testing$ssh->connect(<host>)
only effectively tells me which devices do not supportssh-dss
. It also tells me thatNet::SSH2
cannot negotiatersa-sha2-256
andrsa-sha2-512
which is a deficiency. -
setting
$ssh->method(LIBSSH2_METHOD_HOSTKEY, qw(ssh-rsa))
and then after the connect, retrieve the remote key withmy $hostkey = $ssh->remote_hostkey()
and then looking atlength $hostkey
may produce some false negatives. I.e. I believersa-sha2-256
andrsa-sha2-512
can be used with key lengths of 2048 (correct me if I am wrong).
As an aside to and within point 2, it would be nice to have a method, remote_hostkey_len
, to return the key length in bits of the remote hostkey.
I've looked into this.
Calling:
$hostkey_type = $ssh->method(LIBSSH2_METHOD_HOSTKEY);
, calls the libssh2 function libssh2_session_methods()
. That is what it returns. You can take this up with the libssh2 developers if you want different functionality, their GitHub repository is https://github.com/libssh2/libssh2 . Whatever they change it to will work in the Perl module because that function returns a string.
The second parameter to $ssh->method
calls the libssh2 function libssh2_session_method_pref()
and is passed to its prefs
parameter as a string. Again, whatever changes are made in libssh2 will work here as well.
Calling $ssh->remote_hostkey
calls the libssh2 function libssh2_session_hostkey()
. If you believe it is behaving incorrectly, again this is controlled by libssh2.
I believe I have a solution to your original problem however.
If you call:
$hostkey = $ssh->remote_hostkey;l
, and then print out the value of $hostkey
, the prefix will be key type. For example, on my Gentoo system it is ecdsa-sha2-nistp25nistp256
, maybe a longer or shorter prefix, I don't know, print it out in any event and you will see.
Hope that helps.
Update: For the initial comment, I was working from an Ubuntu 22.04LTS release. The issue is that Ubuntu 22.04LTS comes with support for libssh2 1.10 release (Aug 2021) which does not support rsa-sha2-{256,512}.
Ubuntu 24.04LTS supports libssh2 1.11 (May 2023) which does support rsa-sha2-{256.512}.