If you want to test this against an actual instance, you can do so via AWS:
From the console, select and launch a RHEL 8.2 AMI released by RHEL; RHEL's amazon ID is 309956199498.
A valid ami choice in region us-west-2 is ami-02f147dfb8be58a10
Launch this instance with an AWS-created RSA keys pair.
Copy the instance IP into the instanceIP var on line 12 of rsa_sha2_repro.go. Don't forget to set the port.
Call go run ssh_repro.go
. It should connect successfully.
Lock down the instance to make it reject ssh-rsa sha1 algorithms, but still accept the more secure algorithms for ssh-rsa keys:
Manually SSH onto the instance.
Once on the instance, run sudo update-crypto-policies --set FIPS
and
then sudo reboot
to restart the instance.
Now that the policy has been updated to remove the ssh-rsa algorithm, you won't be able to connect via the below code.
When UseAlgoSigner = false
, you will be able to connect normally when the instance has not had the crypto policies updated.
However, if you set UseAlgoSigner = true
, you won't be able to connect. This is becasue the publicKeyCallback in ssh/client_auth.go incorrectly assigns the algorithm as SigAlgoRSA ("ssh-rsa") instead of SigAlgoRSASHA2256 ("rsa-sha2-256"). This is the key type, but not the algorithm name in this example.
Even if we fix the publicKeyCallback, validateKey will fail for the same reason.