Files · sh-update-crypto-lib · gitlab-org / Gitlab Shell

An error occurred while fetching folder content.

gitlab-sshd: Update crypto module to fix RSA keys with old gpg-agent

Stan Hu authored 2 years ago

When we put gitlab-sshd in production, we noticed a number of clients
using RSA keys would fail to login. The server would report:

```
ssh: signature "ssh-rsa" not compatible with selected algorithm "rsa-sha2-512"
```

This is reproducible on Ubuntu 18.04, which ships gpg-agent v2.2.4 and
OpenSSH v7.6. That version of gpg-agent does not support
`rsa-sha2-256` or `rsa-sha2-512`, but OpenSSH does. As a result,
OpenSSH specifies `rsa-sha-512` as the public key algorithm to use in
the user authentication request message, but gpg-agent includes an
`ssh-rsa` signature. OpenSSH servers tolerates this discrepancy, but
the Go implementation fails because it expects a strict match.

This commit pulls in
https://gitlab.com/gitlab-org/golang-crypto/-/merge_requests/9 to fix
the problem.

Relates to:

1. https://github.com/golang/go/issues/53391
2. https://gitlab.com/gitlab-org/gitlab-shell/-/issues/587

Changelog: fixed

72d615be

Name	Last commit	Last update