go-x-crypto/ssh/client_auth_test.go, branch main Fork of golang.org/x/crypto with my patches. http://git.kilabit.info/go-x-crypto/atom?h=main 2026-03-23T15:34:51Z ssh: respect signer's algorithm preference in pickSignatureAlgorithm 2026-03-23T15:34:51Z Nicola Murino nicola.murino@gmail.com 2026-02-16T09:38:19Z urn:sha1:8400f4a938077a7a7817ab7d163d148e371b320b Previously, pickSignatureAlgorithm constructed the list of candidate algorithms by iterating over the static list returned by algorithmsForKeyFormat. This caused the Signer's preference order to be ignored in favor of the library's default internal order. This change inverts the filtering logic to iterate over the signer's supported algorithms first. This ensures that if a MultiAlgorithmSigner explicitly prefers a specific algorithm (e.g., rsa-sha2-512 over rsa-sha2-256), that preference is preserved and respected during the handshake negotiation. Fixes golang/go#78248 Change-Id: I48a0aac720be7f973963342b82047ce32fc96699 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/746020 Reviewed-by: Lonny Wong <lonnywang.cn@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> all: fix some typos in comment 2025-10-08T20:58:26Z cuishuang imcusg@gmail.com 2025-09-29T03:51:24Z urn:sha1:1faea2975ced2153e5086c1ee135f983db10150a Change-Id: Ia209f0a6d9b19d14e655c65d1287a1416b48c487 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/707535 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Michael Pratt <mpratt@google.com> Auto-Submit: Sean Liao <sean@liao.dev> Reviewed-by: Nicola Murino <nicola.murino@gmail.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Sean Liao <sean@liao.dev> ssh: remove custom contains, use slices.Contains 2025-09-16T06:33:16Z Nicola Murino nicola.murino@gmail.com 2025-09-14T13:28:12Z urn:sha1:ddb4e80c6ad38c8a94001924a6ff8424f5cae369 Change-Id: If4784469e7285675bdd51399a76bdc16f0036a2e Reviewed-on: https://go-review.googlesource.com/c/crypto/+/703635 Reviewed-by: Mark Freeman <markfreeman@google.com> Reviewed-by: Sean Liao <sean@liao.dev> Reviewed-by: Michael Knyszek <mknyszek@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> ssh: export supported algorithms 2025-05-15T17:43:30Z Nicola Murino nicola.murino@gmail.com 2025-05-04T12:40:10Z urn:sha1:ac58737d259962f38068acb1bcd4a51850ec4951 Fixes golang/go#61537 Change-Id: If3478121e3ae445391e3faeceeb889d75e9e3214 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/531935 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Cherry Mui <cherryyz@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> all: make function and struct comments match the names 2025-01-02T16:15:46Z cuishuang imcusg@gmail.com 2025-01-01T01:57:54Z urn:sha1:4a75ba54c28f9c8aa4011c3c5e9e146fd8c83359 Change-Id: Iba9c1fc2895adca0d3455f8068b040d0ca006408 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/639575 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Ian Lance Taylor <iant@google.com> ssh: return unexpected msg error when server fails keyboard-interactive auth early 2024-10-16T07:16:19Z samiponkanen sami.ponkanen@gmail.com 2024-10-16T01:53:41Z urn:sha1:7cfb9161e8d828fd6d9f34560e78460435b63503 Seems the OpenSSH server running on windows fails keyboard-interactive auth this way without sending any prompt to client. In such case the golang ssh client should not retry keyboard-interactive auth when the auth method is wrapped in a RetryableAuthMethod(). Rather the auth method should be immediately marked as tried&failed and the client auth process should move on to next available and acceptable auth method. Fixes golang/go#67855 Change-Id: I6c64ae58ff8325774e37af716601b112f8833d8f GitHub-Last-Rev: 7fafc4d1c81284b31000d7d6ccadd934dda26d24 GitHub-Pull-Request: golang/crypto#297 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/590956 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Nicola Murino <nicola.murino@gmail.com> ssh: return ServerAuthError after too many auth failures 2024-09-16T20:42:53Z Nicola Murino nicola.murino@gmail.com 2024-02-25T15:26:56Z urn:sha1:42ee18b963777d907bbef3e59665cf80968d57e6 if a client is disconnected due to too many authentication attempts we should return a ServerAuthError instead of a generic error. Some users check the error returned by NewServerConn to determine whether or not a client attempted to authenticate. Fixes golang/go#69191 Change-Id: If68fcecdefd6c810fe9df8256b1216e320d8a916 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/566398 Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Tim King <taking@google.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Carlos Amedee <carlos@golang.org> ssh: add test cases for compatibility with old (buggy) clients 2023-09-20T18:10:32Z Nicola Murino nicola.murino@gmail.com 2023-09-05T17:47:13Z urn:sha1:a1aeb9b34eb6b8f469bbd66b9cd1c9d905cb3714 Improved test cases for CL 506835. Change-Id: If4a98ae4a7b39d2e59b203d10080b71283e1a80e Reviewed-on: https://go-review.googlesource.com/c/crypto/+/525735 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Matthew Dempsky <mdempsky@google.com> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> ssh: add MultiAlgorithmSigner 2023-09-20T18:10:30Z Nicola Murino nicola.murino@gmail.com 2023-07-08T13:39:11Z urn:sha1:28c53ff63c09fc7df7793600caa30989bc69e194 MultiAlgorithmSigner allows to restrict client-side, server-side and certificate signing algorithms. Fixes golang/go#52132 Fixes golang/go#36261 Change-Id: I295092f1bba647327aaaf294f110e9157d294159 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/508398 Reviewed-by: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Matthew Dempsky <mdempsky@google.com> ssh: check the declared public key algo against decoded one 2023-09-05T16:18:45Z Nicola Murino nicola.murino@gmail.com 2023-06-28T16:03:43Z urn:sha1:c5370d2cc696bb18a6ddc151cee09673f06e8497 This check will ensure we don't accept e.g. ssh-rsa-cert-v01@openssh.com algorithm with ssh-rsa public key type. The algorithm and public key type must be consistent: both must be certificate algorithms, or neither. Change-Id: I1d75074fb4d6db3a8796408e98ddffe577a96ab1 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/506836 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org>