Roumen and I have exchanged details over the weekend. My understanding now
is as follows.

*Server-side situation:*

OpenSSH versions before 7.5 (such as 7.3) send the "server-sig-algs"
extension, but they only use it to indicate support for "rsa-sha2-512" and
"rsa-sha2-256". They do not include other public key algorithms that the
server supports, even though the server will accept those algorithms if
they are attempted.

It is intended that the server should send a complete set of accepted
public key algorithms. My understanding is that OpenSSH versions 7.5 and
later do this. Bitvise SSH Server has always sent a complete list.

*Client-side situation:*

There exist clients which have problems with OpenSSH 7.3 behavior, and
clients that don't.

*Clients with explicit public key configuration.* Bitvise SSH Client does
not have a problem with this behavior, because it does not use public keys
opportunistically. Our SSH Client will use a public key to authenticate
only if the key is explicitly configured by the user. It will use only the
requested key, and not other keys that it may find in various places of
storage.

As a result, our SSH Client has no use for a hint from the server about
which key types are OK to use. It already knows the key it's going to use.
The question is what signature algorithm (now renamed "public key
algorithm") to use with that key. For this purpose, the information sent by
OpenSSH is sufficient, regardless of version. For RSA keys, the
"server-sig-algs" extension provides the info. For non-RSA keys, there's
only one algorithm possible anyway, so we use it.

*Clients with opportunistic key search.* Other SSH clients, including
OpenSSH and PKIXSSH (Roumen's work) do not require a public key to be
explicitly configured in order to be used. Such clients perform an
opportunistic search, and try to use any and all keys that might work that
can be found in various places of storage. This includes the user's .ssh
directory, keys available via the SSH agent protocol, and keys specified on
the command line.

These types of clients have a problem, because:

- In OpenSSH versions 7.5 and higher, the client can use the list of
algorithms sent in the server's "server-sig-algs" extension to narrow down
the public keys it's going to try. If the server doesn't list ECDSA or DSA,
for example, the client can take that as authoritative, and can exclude
those keys from authentication. This is nice because it may involve trying
fewer keys.

- In OpenSSH version 7.3, the server will only send "rsa-sha2-256" and
"rsa-sha2-512", even if the server also accepts ECDSA and other algorithms.
This means the client needs to have explicit treatment to detect the
OpenSSH protocol version. If the OpenSSH version is older than 7.5,
"server-sig-algs" can still be used to enable the use of "rsa-sha2-XXXX"
instead of "ssh-rsa", but it cannot be used to exclude non-RSA keys in
authentication.

*Options:*

*(A) Rename extension.* Roumen has requested that we rename the
"server-sig-algs" extension and make it clear that the server must send all
algorithms it will accept.

I think this is not the best thing to do for the following reasons:

- There are multiple implementations of this extension which are not
impacted by the OpenSSH 7.3 issue. These implementations would suffer from
the rename.

- Implementations that are impacted by the OpenSSH 7.3 issue may still have
a requirement to interoperate with OpenSSH 7.5, as well as other servers
that currently send "server-sig-algs" with a complete list of algorithms.
For such implementations, renaming the extension is again not a fix, but a
further complication.

*(B) Workaround by clients that need it.* My suggestion is that clients
that use opportunistic key search, and wish to interoperate with OpenSSH
7.3, should implement a compatibility workaround for the way
"server-sig-algs" is sent by that version.

I think this is the better solution for the following reasons:

- There are multiple implementations which are already not affected by the
issue, whether communicating with OpenSSH or between themselves. In this
case, those implementations do not need to change anything.

- The work required for clients with opportunistic key search is similar to
the work required in above option A), *assuming *those clients want to
interoperate with OpenSSH 7.5+ and other existing servers that send
"server-sig-algs" with a complete list of algorithms.

In addition, it appears the draft needs to be clarified to state:

- The server SHOULD send a complete list of public key algorithms it will
accept for user authentication.

- The client MAY authenticate with a public key algorithm not included in
the server's list.

At this time, I will make this update to the draft.

denis



On Fri, May 5, 2017 at 4:15 AM, denis bider <denisbider.ietf@gmail.com>
wrote:

> Talking to Roumen off-list to gain a better understanding of his
> implementation, and why it has trouble dealing with "server-sig-algs" sent
> by OpenSSH versions before 7.5. Our implementation does not have trouble.
> His implementation might though, perhaps due to different combinations of
> supported algorithms, and/or a different design approach. Trying to
> understand this better. Will post when I do.
>
> On Fri, May 5, 2017 at 12:18 AM, denis bider <denisbider.ietf@gmail.com>
> wrote:
>
>> Although my below response was self-explanatory, it is not sufficient. It
>> requires elaboration:
>>
>> - The extension being specified is already deployed in a variety of
>> implementations, not only OpenSSH. (See [1] at bottom)
>>
>> - Since the draft thus far remains compatible with existing
>> implementations, changing the name of the extension would break
>> compatibility.
>>
>> - Breaking compatibility with existing implementations requires a
>> substantive reason. I am currently not aware of a substantive reason to do
>> this.
>>
>> - A problem in particular versions of a particular implementation is not
>> a substantive reason. Idiosyncrasies of specific implementations are
>> handled by others recognizing the SSH version string, not diverging the
>> protocol.
>>
>> - It is not clear to me that the problem you reference in OpenSSH
>> versions prior to 7.5 is a problem that needs to be addressed at this level.
>>
>> - In a previous message, Damien Miller, who is representative of OpenSSH
>> in this forum, has expressed a preference to keep the same extension name.
>>
>> To be clear, the extension name is not one I'm overly happy with. In
>> fact, I had changed the name of the extension from "server-sig-algs" to
>> something more appropriate in an early version of the draft. However, by
>> that time, another implementation already picked up "server-sig-algs".
>>
>> For this reason, I changed the spec back to "server-sig-algs". Although
>> the name is not ideal, it is now in use; and the name being ideal is
>> strictly less important than there being one identifier; and one identifier
>> only; for the same concept, if reasonably possible.
>>
>> I stand by this decision, and think it's incorrect to modify the name at
>> this time, unless the mechanics of the extension are changed in some way
>> that's fundamental.
>>
>> [1] According to this excellent, but at this time slightly outdated
>> comparison:
>>
>> http://ssh-comparison.quendi.de/comparison/hostkey.html
>>
>> ... implementations of rsa-sha2-*** public key algorithms include
>> AsyncSSH, SmartFTP, and OpenSSH. Bitvise SSH Server and Client also support
>> them, but this is not listed in the chart. This leads me to believe there
>> may be other implementations also. I know that at least three of these
>> implementations also implement the "server-sig-algs" extension under its
>> current name.
>>
>>
>> On Thu, May 4, 2017 at 11:12 PM, denis bider <denisbider.ietf@gmail.com>
>> wrote:
>>
>>> > 10x for new versions.
>>>
>>> You don't even have the decency to spell that.
>>>
>>>
>>> > The name of extension "server-sig-algs" must be changed as well.
>>>
>>> No fucking way. Fuck off.
>>>
>>>
>>>
>>> On Thu, May 4, 2017 at 1:17 PM, Румен Петров <pkixssh@roumenpetrov.info>
>>> wrote:
>>>
>>>> Hi denis,
>>>>
>>>> denis bider wrote:
>>>>
>>>>> Hello everyone,
>>>>>
>>>>> in the interest of consensus, I have adopted the requested terminology
>>>>> changes in the two drafts. What was previously "signature algorithm"
>>>>> is now
>>>>> "public key algorithm", and what was previously "public key algorithm"
>>>>> is
>>>>> now "public key format".
>>>>>
>>>>> Please review and let me know.
>>>>>
>>>> 10x for new versions.
>>>>
>>>> Main context of *draft-ietf-curdle-rsa-sha2-07.txt* is fine with me.
>>>> I still think that chapter 4 IANA Considerations could be simplified to
>>>> list only public key algorithm but this is not so important.
>>>> The chapter refer to RFC4250 but section 7.1 Normative References lack
>>>> reference to it. May be is good to list RFC4250 as well.
>>>> No other remarks.
>>>>
>>>>
>>>>
>>>> About draft-ietf-curdle-ssh-ext-info-06.txt:
>>>> The name of extension "server-sig-algs" must be changed as well.
>>>> First because extension contain  abbreviation of signature in name
>>>> (description is fine),
>>>> second because existing implementation does not follow rules from
>>>> RFC4250, section 4.6.1. "Conventions for Names" and
>>>> third(!) due to broken OpenSSH implementation: " ...where SHA2 RSA
>>>> signature methods were not being correctly advertised..." fixed in 7.5.
>>>>
>>>>
>>>> [SNIP]
>>>>
>>>> Regards,
>>>> Roumen Petrov
>>>>
>>>>
>>>> _______________________________________________
>>>> Curdle mailing list
>>>> Curdle@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/curdle
>>>>
>>>
>>>
>>
>