Apply less restrictive signature key algorithm check

tobischo · tobischo · commit a878079a19cd · 2023-06-15T16:37:17.000+02:00
Addresses same issue as golang/go#56342
diff --git a/ssh/client_auth.go b/ssh/client_auth.go
@@ -371,7 +371,12 @@ func confirmKeyAck(key PublicKey, algo string, c packetConn) (bool, error) {
 			if err := Unmarshal(packet, &msg); err != nil {
 				return false, err
 			}
-			if msg.Algo != algo || !bytes.Equal(msg.PubKey, pubKey) {
+			// if msg.Algo != algo || !bytes.Equal(msg.PubKey, pubKey) {
+			// Some SSH servers do not respond with the approviate given algorithm that
+			// was selected based on the server-sig-algs.
+			// We therefore want to accept any algorithm that is acceptable to us.
+			keyAlgos := algorithmsForKeyFormat(key.Type())
+			if !contains(keyAlgos, msg.Algo) || !bytes.Equal(msg.PubKey, pubKey) {
 				return false, nil
 			}
 			return true, nil

Original file line number	Diff line number	Diff line change
`@@ -371,7 +371,12 @@ func confirmKeyAck(key PublicKey, algo string, c packetConn) (bool, error) {`
`371`	`371`	`if err := Unmarshal(packet, &msg); err != nil {`
`372`	`372`	`return false, err`
`373`	`373`	`}`
`374`		`- if msg.Algo != algo \|\| !bytes.Equal(msg.PubKey, pubKey) {`
	`374`	`+ // if msg.Algo != algo \|\| !bytes.Equal(msg.PubKey, pubKey) {`
	`375`	`+ // Some SSH servers do not respond with the approviate given algorithm that`
	`376`	`+ // was selected based on the server-sig-algs.`
	`377`	`+ // We therefore want to accept any algorithm that is acceptable to us.`
	`378`	`+ keyAlgos := algorithmsForKeyFormat(key.Type())`
	`379`	`+ if !contains(keyAlgos, msg.Algo) \|\| !bytes.Equal(msg.PubKey, pubKey) {`
`375`	`380`	`return false, nil`
`376`	`381`	`}`
`377`	`382`	`return true, nil`