diff options
| author | Jeff Forcier <jeff@bitprophet.org> | 2022-01-08 13:43:50 -0500 |
|---|---|---|
| committer | Jeff Forcier <jeff@bitprophet.org> | 2022-01-08 13:43:50 -0500 |
| commit | 6699d35ad2d13fb74280a193e2e284a4a45f6f68 (patch) | |
| tree | a3f0e9f24e2def4fa8c7a3b996af1a97e61d33b3 | |
| parent | 5f222495b5a62f3a1c465292bcace15888f40515 (diff) | |
Fix up logging and exception handling re: pubkey auth and presence/lack of server-sig-algs
Re #1961
| -rw-r--r-- | paramiko/auth_handler.py | 47 | ||||
| -rw-r--r-- | sites/www/changelog.rst | 7 |
2 files changed, 42 insertions, 12 deletions
diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py index da109d7c..41ec4487 100644 --- a/paramiko/auth_handler.py +++ b/paramiko/auth_handler.py @@ -307,19 +307,42 @@ class AuthHandler(object): "An RSA key was specified, but no RSA pubkey algorithms are configured!" # noqa ) # Check for server-sig-algs if supported & sent - server_algos = u( + server_algo_str = u( self.transport.server_extensions.get("server-sig-algs", b("")) - ).split(",") - self._log(DEBUG, "Server-side algorithm list: {}".format(server_algos)) - # Only use algos from our list that the server likes, in our own - # preference order. (NOTE: purposefully using same style as in - # Transport...expect to refactor later) - agreement = list(filter(server_algos.__contains__, my_algos)) - # Fallback: first one in our (possibly tweaked by caller) list - final = agreement[0] if agreement else my_algos[0] - self.transport._agreed_pubkey_algorithm = final - self._log(DEBUG, "Agreed upon {!r} pubkey algorithm".format(final)) - return final + ) + pubkey_algo = None + if server_algo_str: + server_algos = server_algo_str.split(",") + self._log( + DEBUG, "Server-side algorithm list: {}".format(server_algos) + ) + # Only use algos from our list that the server likes, in our own + # preference order. (NOTE: purposefully using same style as in + # Transport...expect to refactor later) + agreement = list(filter(server_algos.__contains__, my_algos)) + if agreement: + pubkey_algo = agreement[0] + self._log( + DEBUG, + "Agreed upon {!r} pubkey algorithm".format(pubkey_algo), + ) + else: + self._log(DEBUG, "No common pubkey algorithms exist! Dying.") + # TODO: MAY want to use IncompatiblePeer again here but that's + # technically for initial key exchange, not pubkey auth. + err = "Unable to agree on a pubkey algorithm for signing a {!r} key!" # noqa + raise AuthenticationException(err.format(key_type)) + else: + # Fallback: first one in our (possibly tweaked by caller) list + pubkey_algo = my_algos[0] + msg = "Server did not send a server-sig-algs list; defaulting to our first preferred algo ({!r})" # noqa + self._log(DEBUG, msg.format(pubkey_algo)) + self._log( + DEBUG, + "NOTE: you may use the 'disabled_algorithms' SSHClient/Transport init kwarg to disable that or other algorithms if your server does not support them!", # noqa + ) + self.transport._agreed_pubkey_algorithm = pubkey_algo + return pubkey_algo def _parse_service_accept(self, m): service = m.get_text() diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index ef7ed367..61a92acb 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,13 @@ Changelog ========= +- :bug:`-` Connecting to servers which support ``server-sig-algs`` but which + have no overlap between that list and what a Paramiko client supports, now + raise an exception instead of defaulting to ``rsa-sha2-512`` (since the use + of ``server-sig-algs`` allows us to know what the server supports). +- :bug:`-` Enhanced log output when connecting to servers that do not support + ``server-sig-algs`` extensions, making the new-as-of-2.9 defaulting to SHA2 + pubkey algorithms more obvious when it kicks in. - :release:`2.9.1 <2021-12-24>` - :bug:`1955` Server-side support for ``rsa-sha2-256`` and ``ssh-rsa`` wasn't fully operable after 2.9.0's release (signatures for RSA pubkeys were always |