rkitover/net-ssh2

Support for new RSA SHA2 host key types in LSBSSH2_METHOD_HOSTKEYS method

rwsmith61 opened this issue · 4 comments

I need to query the hostkeys types of all our network devices to find any that are still using the now deprecated RSA SHA1 hostkeys. Currently if I query using $ssh->method(LIBSSH2_METHOD_HOSTKEY), and per the Net::SSH2 documentation, I only get returned either of values: "ssh-rsa" or "ssh-dsa."

I need to get the latest RSA hostkey types as per the latest OpenSSH: "rsa-sha2-256" or "rsa-sha2-512" (and/or any others that have been added in the past few years).

@salva can you take care of this, I'm being prevented by the US government from doing anything right now.

Update: I have tried two different methods

  1. setting $ssh->method(LIBSSH2_METHOD_HOSTKEY, qw(ssh-dss)) or even $ssh->method(LIBSSH2_METHOD_HOSTKEY, qw(ssh-dss rsa-sha2-256 rsa-sha2-512)) (no effect for last two words) to eliminate ssh-rsa and testing $ssh->connect(<host>) only effectively tells me which devices do not support ssh-dss. It also tells me that Net::SSH2 cannot negotiate rsa-sha2-256 and rsa-sha2-512 which is a deficiency.

  2. setting $ssh->method(LIBSSH2_METHOD_HOSTKEY, qw(ssh-rsa)) and then after the connect, retrieve the remote key with my $hostkey = $ssh->remote_hostkey() and then looking at length $hostkey may produce some false negatives. I.e. I believe rsa-sha2-256 and rsa-sha2-512 can be used with key lengths of 2048 (correct me if I am wrong).

As an aside to and within point 2, it would be nice to have a method, remote_hostkey_len, to return the key length in bits of the remote hostkey.

I've looked into this.

Calling:

$hostkey_type = $ssh->method(LIBSSH2_METHOD_HOSTKEY);

, calls the libssh2 function libssh2_session_methods(). That is what it returns. You can take this up with the libssh2 developers if you want different functionality, their GitHub repository is https://github.com/libssh2/libssh2 . Whatever they change it to will work in the Perl module because that function returns a string.

The second parameter to $ssh->method calls the libssh2 function libssh2_session_method_pref() and is passed to its prefs parameter as a string. Again, whatever changes are made in libssh2 will work here as well.

Calling $ssh->remote_hostkey calls the libssh2 function libssh2_session_hostkey(). If you believe it is behaving incorrectly, again this is controlled by libssh2.

I believe I have a solution to your original problem however.

If you call:

$hostkey = $ssh->remote_hostkey;l

, and then print out the value of $hostkey, the prefix will be key type. For example, on my Gentoo system it is ecdsa-sha2-nistp25nistp256, maybe a longer or shorter prefix, I don't know, print it out in any event and you will see.

Hope that helps.

Update: For the initial comment, I was working from an Ubuntu 22.04LTS release. The issue is that Ubuntu 22.04LTS comes with support for libssh2 1.10 release (Aug 2021) which does not support rsa-sha2-{256,512}.

Ubuntu 24.04LTS supports libssh2 1.11 (May 2023) which does support rsa-sha2-{256.512}.