Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements client authentication support for signature algorithms based on SHA-2 for use with existing RSA keys.
Previously, a client would fail to authenticate with RSA keys to servers that reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 <https://www.openssh.com/txt/release-8.8> by default and—starting today March 15, 2022 <https://github.blog/changelog/2022-03-15-removed-unencrypted-git-protocol-and-certain-ssh-keys/> —github.com for recently uploaded keys. We are providing this announcement as the error (“ssh: unable to authenticate”) might otherwise be difficult to troubleshoot. Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also fixes a potential security issue where an attacker could cause a crash in a golang.org/x/crypto/ssh server under these conditions: - The server has been configured by passing a Signer <https://pkg.go.dev/golang.org/x/crypto/ssh#Signer> to ServerConfig.AddHostKey <https://pkg.go.dev/golang.org/x/crypto/ssh#ServerConfig.AddHostKey>. - The Signer passed to AddHostKey does not also implement AlgorithmSigner <https://pkg.go.dev/golang.org/x/crypto/ssh#AlgorithmSigner>. - The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method. Servers that only use Signer implementations provided by the ssh package are unaffected. This is CVE-2022-27191. Alla prossima, Filippo for the Go Security team -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CA%2B2K_KpR4zREW%2BMqW5xuH0hFkb16O29aQUfU0Mjaq7y_4mdR%2Bg%40mail.gmail.com.
