[Bug 1978845] [NEW] gpg-agent on Ubuntu 18.04 does not support rsa-sha2-512 and rsa-sha2-256 signature algorithms for SSH

[Launchpad Bug Tracker]

You have been subscribed to a public bug:

On Ubuntu 18.04 with a Yubikey RSA key, we noticed SSH logins were
failing when we switched our SSH server out from OpenSSH to a custom
Golang SSH server.

We noticed that gpg-agent v2.2.6 fixes this problem via
https://github.com/gpg/gnupg/commit/80b775bdbb852aa4a80292c9357e5b1876110c00.
We highly recommend Ubuntu 18.04 either backport this patch or upgrade
to v2.2.6.

As described in https://github.com/golang/go/issues/53391, a SSH client
initiates a session via a SSH_MSG_USERAUTH_REQUEST message:

```
     byte      SSH_MSG_USERAUTH_REQUEST
     string    user name
     string    service name
     string    "publickey"
     boolean   TRUE
     string    "rsa-sha2-512"     <--- 1 - Public key algorithm name (algo) (https://datatracker.ietf.org/doc/html/rfc4252#page-8)
     string    public key blob:
         string    "ssh-rsa"      <--- 2 - Public key type (pubKey.Type())
         mpint     e
         mpint     n
     string    signature:
         string    "rsa-sha2-512" <--- 3 - Signature format (sig.Format)
         string    rsa_signature_blob
```

If a SSH server mandates that 1 and 3 match, the login will fail.
OpenSSH is a bit more relaxed here in that as long as 1 is either `ssh-
rsa`, `rsa-sha2-256`, or `rsa-sha2-512`, the signature verification is
still allowed to proceed.

This problem occurs because while OpenSSH v7.6 supports these new
algorithms, gpg-agent doesn't know about them, so it just passes along
`ssh-rsa` in 1.

** Affects: gnupg2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
gpg-agent on Ubuntu 18.04 does not  support rsa-sha2-512 and rsa-sha2-256 signature algorithms for SSH
https://bugs.launchpad.net/bugs/1978845
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to gnupg2 in Ubuntu.