[PATCH] dropbear: make rsa-sha2-256 pubkeys usable again

Petr Štetiar ynezz at true.cz
Mon Jul 20 08:36:47 EDT 2020

Matt Johnston <matt at ucc.asn.au> [2020-07-19 11:32:56]:


> It looks like gpg-agent added support in 2.2.5. OpenSSH client 7.7 or later will print a warning about it.
> https://dev.gnupg.org/T3880

 Debian 9     (EOL in June 30, 2022) has following: gpg-agent (GnuPG) 2.1.18, OpenSSH_7.4p1
 Ubuntu 18.04 (EOL in April, 2023)   has following: gpg-agent (GnuPG) 2.2.4,  OpenSSH_7.6p1

> I don't think there's anything to change server side - the client is sending
> the wrong signature type.

BTW latest OpenSSH server version 8.3 works fine with those broken clients, so
perhaps there is no such strict checking in place or such?

> Old Dropbear worked OK because it didn't advertise rsa-sha2-256 support, so
> the client didn't try it.

As you can see, there are some users with broken clients which are unable to
use Dropbear version > 2019.78. Dropbear is shipped by default in OpenWrt and
it's likely, that the next OpenWrt relase will ship with Dropbear version >=
2020.80 and users with those broken clients wouldn't be able to SSH into their
devices after the upgrade.

Nonethless I've closed the PR and we'll just keep this workaround for those
broken clients in our tree.

-- ynezz

More information about the openwrt-devel mailing list