diff options
| -rw-r--r-- | sites/www/changelog.rst | 4 | ||||
| -rw-r--r-- | tests/test_transport.py | 13 |
2 files changed, 17 insertions, 0 deletions
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index eeae86ef..091fe118 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,10 @@ Changelog ========= +- :bug:`1955` Server-side support for ``rsa-sha2-256`` and ``ssh-rsa`` wasn't + fully operable after 2.9.0's release (signatures for RSA pubkeys were always + run through ``rsa-sha2-512`` instead). Report and early stab at a fix + courtesy of Jun Omae. - :release:`2.9.0 <2021-12-23>` - :feature:`1643` (also :issue:`1925`, :issue:`1644`, :issue:`1326`) Add support for SHA-2 variants of RSA key verification algorithms (as described diff --git a/tests/test_transport.py b/tests/test_transport.py index 6145e5cb..77ffd6c1 100644 --- a/tests/test_transport.py +++ b/tests/test_transport.py @@ -1438,3 +1438,16 @@ class TestSHA2SignaturePubkeys(unittest.TestCase): ) as (tc, ts): assert tc.is_authenticated() assert tc._agreed_pubkey_algorithm == "rsa-sha2-256" + + def test_sha2_256_when_client_only_enables_256(self): + privkey = RSAKey.from_private_key_file(_support("test_rsa.key")) + with server( + pubkeys=[privkey], + connect=dict(pkey=privkey), + # Client-side only; server still accepts all 3. + client_init=dict( + disabled_algorithms=dict(pubkeys=["ssh-rsa", "rsa-sha2-512"]) + ), + ) as (tc, ts): + assert tc.is_authenticated() + assert tc._agreed_pubkey_algorithm == "rsa-sha2-256" |