diff options
| author | Jeff Forcier <jeff@bitprophet.org> | 2022-04-22 19:11:03 -0400 |
|---|---|---|
| committer | Jeff Forcier <jeff@bitprophet.org> | 2022-04-22 19:12:32 -0400 |
| commit | 7a2c84afaada7a513ee482ba36e8848528b6f5f3 (patch) | |
| tree | 2494ec3ce75a1360800531deb33e3593198e6377 | |
| parent | 239d2bd7a620be5cdaaa26f981ea72f5f55c9050 (diff) | |
Add -cert-v01@openssh.com variants to accepted host key algorithms
Solves #2035
| -rw-r--r-- | paramiko/transport.py | 10 | ||||
| -rw-r--r-- | sites/www/changelog.rst | 4 | ||||
| -rw-r--r-- | tests/test_transport.py | 8 |
3 files changed, 20 insertions, 2 deletions
diff --git a/paramiko/transport.py b/paramiko/transport.py index b99b3278..83cedbf6 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -549,7 +549,15 @@ class Transport(threading.Thread, ClosingContextManager): @property def preferred_keys(self): - return self._filter_algorithm("keys") + # Interleave cert variants here; resistant to various background + # overwriting of _preferred_keys, and necessary as hostkeys can't use + # the logic pubkey auth does re: injecting/checking for certs at + # runtime + filtered = self._filter_algorithm("keys") + return tuple( + filtered + + tuple("{}-cert-v01@openssh.com".format(x) for x in filtered) + ) @property def preferred_pubkeys(self): diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 067a73ba..eb1e0704 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,10 @@ Changelog ========= +- :bug:`2035` Servers offering certificate variants of hostkey algorithms (eg + ``ssh-rsa-cert-v01@openssh.com``) could not have their host keys verified by + Paramiko clients, as it only ever considered non-cert key types for that part + of connection handshaking. This has been fixed. - :release:`2.10.3 <2022-03-18>` - :release:`2.9.3 <2022-03-18>` - :bug:`1963` (via :issue:`1977`) Certificate-based pubkey auth was diff --git a/tests/test_transport.py b/tests/test_transport.py index 77ffd6c1..2eb95b31 100644 --- a/tests/test_transport.py +++ b/tests/test_transport.py @@ -1121,7 +1121,12 @@ class AlgorithmDisablingTests(unittest.TestCase): t = Transport(sock=Mock()) assert t.preferred_ciphers == t._preferred_ciphers assert t.preferred_macs == t._preferred_macs - assert t.preferred_keys == t._preferred_keys + assert t.preferred_keys == tuple( + t._preferred_keys + + tuple( + "{}-cert-v01@openssh.com".format(x) for x in t._preferred_keys + ) + ) assert t.preferred_kex == t._preferred_kex def test_preferred_lists_filter_disabled_algorithms(self): @@ -1140,6 +1145,7 @@ class AlgorithmDisablingTests(unittest.TestCase): assert "hmac-md5" not in t.preferred_macs assert "ssh-dss" in t._preferred_keys assert "ssh-dss" not in t.preferred_keys + assert "ssh-dss-cert-v01@openssh.com" not in t.preferred_keys assert "diffie-hellman-group14-sha256" in t._preferred_kex assert "diffie-hellman-group14-sha256" not in t.preferred_kex |