go-x-crypto/ssh/client_auth.go, branch main

ssh: respect signer's algorithm preference in pickSignatureAlgorithm

2026-03-23T15:34:51Z

Previously, pickSignatureAlgorithm constructed the list of candidate algorithms by iterating over the static list returned by algorithmsForKeyFormat. This caused the Signer's preference order to be ignored in favor of the library's default internal order. This change inverts the filtering logic to iterate over the signer's supported algorithms first. This ensures that if a MultiAlgorithmSigner explicitly prefers a specific algorithm (e.g., rsa-sha2-512 over rsa-sha2-256), that preference is preserved and respected during the handshake negotiation. Fixes golang/go#78248 Change-Id: I48a0aac720be7f973963342b82047ce32fc96699 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/746020 Reviewed-by: Lonny Wong Reviewed-by: Dmitri Shuralyov Auto-Submit: Nicola Murino LUCI-TryBot-Result: Go LUCI Reviewed-by: Filippo Valsorda Reviewed-by: Carlos Amedee

ssh: remove custom contains, use slices.Contains

2025-09-16T06:33:16Z

Change-Id: If4784469e7285675bdd51399a76bdc16f0036a2e Reviewed-on: https://go-review.googlesource.com/c/crypto/+/703635 Reviewed-by: Mark Freeman Reviewed-by: Sean Liao Reviewed-by: Michael Knyszek LUCI-TryBot-Result: Go LUCI

ssh: add AlgorithmNegotiationError

2025-07-09T15:43:26Z

Fixes golang/go#61536 Change-Id: Id38cc6d46879dbe2bdea04dec061596387ec6cfe Reviewed-on: https://go-review.googlesource.com/c/crypto/+/559056 LUCI-TryBot-Result: Go LUCI Reviewed-by: Filippo Valsorda Reviewed-by: David Chase Auto-Submit: Nicola Murino Reviewed-by: Carlos Amedee

ssh: return unexpected msg error when server fails keyboard-interactive auth early

2024-10-16T07:16:19Z

Seems the OpenSSH server running on windows fails keyboard-interactive auth this way without sending any prompt to client. In such case the golang ssh client should not retry keyboard-interactive auth when the auth method is wrapped in a RetryableAuthMethod(). Rather the auth method should be immediately marked as tried&failed and the client auth process should move on to next available and acceptable auth method. Fixes golang/go#67855 Change-Id: I6c64ae58ff8325774e37af716601b112f8833d8f GitHub-Last-Rev: 7fafc4d1c81284b31000d7d6ccadd934dda26d24 GitHub-Pull-Request: golang/crypto#297 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/590956 LUCI-TryBot-Result: Go LUCI Reviewed-by: Dmitri Shuralyov Reviewed-by: Ian Lance Taylor Auto-Submit: Nicola Murino Reviewed-by: Nicola Murino

ssh: fail client auth immediately on receiving disconnect message

2024-06-04T17:03:48Z

Fixes golang/go#66991 Change-Id: I60dd8a807578f162fda0e49bcd6fbf289d444396 GitHub-Last-Rev: f88329d35712873d0d7e3b39b9b11e7bfbc28e71 GitHub-Pull-Request: golang/crypto#293 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/581075 Reviewed-by: Cherry Mui Reviewed-by: Roland Shoemaker Auto-Submit: Nicola Murino Reviewed-by: Nicola Murino LUCI-TryBot-Result: Go LUCI

ssh: validate key type in SSH_MSG_USERAUTH_PK_OK response

2024-05-03T13:40:56Z

According to RFC 4252 Section 7 the algorithm in SSH_MSG_USERAUTH_PK_OK should match that of the request but some servers send the key type instead. OpenSSH checks for the key type, so we do the same. Fixes golang/go#66438 Fixes golang/go#64785 Fixes golang/go#56342 Fixes golang/go#54027 Change-Id: I2f733f0faece097e44ba7a97c868d30a53e21d79 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/573360 Auto-Submit: Nicola Murino LUCI-TryBot-Result: Go LUCI Run-TryBot: Nicola Murino Reviewed-by: Roland Shoemaker Reviewed-by: Filippo Valsorda TryBot-Result: Gopher Robot Reviewed-by: Joedian Reid

ssh: fix certificate authentication with OpenSSH 7.2-7.7

2023-11-23T17:23:14Z

OpenSSH 7.2-7.7 advertises support for rsa-sha2-256 and rsa-sha2-512 in the "server-sig-algs" extension but doesn't support these algorithms for certificate authentication, so if the server rejects the key try to use the obtained algorithm as if "server-sig-algs" had not been implemented. Fixes golang/go#58371 Change-Id: Id49960d3dedd32a21e2c6c2689b1696e05398286 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/510155 Reviewed-by: Filippo Valsorda Run-TryBot: Nicola Murino Reviewed-by: Dmitri Shuralyov Reviewed-by: Michael Knyszek TryBot-Result: Gopher Robot LUCI-TryBot-Result: Go LUCI Auto-Submit: Nicola Murino

ssh: add MultiAlgorithmSigner

2023-09-20T18:10:30Z

MultiAlgorithmSigner allows to restrict client-side, server-side and certificate signing algorithms. Fixes golang/go#52132 Fixes golang/go#36261 Change-Id: I295092f1bba647327aaaf294f110e9157d294159 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/508398 Reviewed-by: Filippo Valsorda Run-TryBot: Filippo Valsorda Reviewed-by: Ian Lance Taylor Auto-Submit: Filippo Valsorda TryBot-Result: Gopher Robot Reviewed-by: Matthew Dempsky

ssh: support rsa-sha2-256/512 for client certificates

2022-03-15T16:07:06Z

The server-sig-algs logic was not working for certificate algorithms. Follow-up on CL 392394. Tested with OpenSSH 8.8 configured with PubkeyAcceptedKeyTypes -ssh-rsa-cert-v01@openssh.com Updates golang/go#39885 For golang/go#49952 Change-Id: Ic230dd6f98e96b7938acbd0128ab37d33b70abe5 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/392974 Trust: Filippo Valsorda Run-TryBot: Filippo Valsorda Reviewed-by: Roland Shoemaker TryBot-Result: Gopher Robot

ssh: support rsa-sha2-256/512 for client authentication

2022-03-14T23:47:24Z

CL 220037 had implemented support for host authentication using rsa-sha2-256/512, but not client public key authentication. OpenSSH disabled the SHA-1 based ssh-rsa by default in version 8.8 (after pre-announcing it in versions 8.2, 8.3, 8.4, 8.5, 8.6, and 8.7) although some distributions re-enable it. GitHub will start rejecting ssh-rsa for keys uploaded before November 2, 2021 on March 15, 2022. https://github.blog/2021-09-01-improving-git-protocol-security-github/ The server side already worked, as long as the client selected one of the SHA-2 algorithms, because the signature flowed freely to Verify. There was however nothing verifying that the signature algorithm matched the advertised one. The comment suggested the check was being performed, but it got lost back in CL 86190043. Not a security issue because the signature had to pass the callback's Verify method regardless, and both values were checked to be acceptable. Tested with OpenSSH 8.8 configured with "PubkeyAcceptedKeyTypes -ssh-rsa" and no application-side changes. The Signers returned by ssh/agent (when backed by an agent client) didn't actually implement AlgorithmSigner but ParameterizedSigner, an interface defined in an earlier version of CL 123955. Updates golang/go#49269 Fixes golang/go#39885 For golang/go#49952 Change-Id: I13b41db8041f1112a70f106c55f077b904b12cb8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/392394 Trust: Filippo Valsorda Run-TryBot: Filippo Valsorda TryBot-Result: Gopher Robot Reviewed-by: Roland Shoemaker