x/crypto/ssh: prefer `rsa-sha2-512` over `rsa-sha2-256` for RSA SSH signatures

[lonnywong]

Proposal Details

RSA signature algorithms are currently ordered as:

func algorithmsForKeyFormat(keyFormat string) []string {
	switch keyFormat {
	case KeyAlgoRSA:
		return []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA}
	case CertAlgoRSAv01:
		return []string{CertAlgoRSASHA256v01, CertAlgoRSASHA512v01, CertAlgoRSAv01}
	default:
		return []string{keyFormat}
	}
}

This causes rsa-sha2-256 to be negotiated before rsa-sha2-512 when both are supported.

OpenSSH prefers rsa-sha2-512 over rsa-sha2-256 in its default signature algorithm ordering and negotiates rsa-sha2-512 when possible.

Suggested change

Prefer SHA-512 when available:

case KeyAlgoRSA:
	return []string{KeyAlgoRSASHA512, KeyAlgoRSASHA256, KeyAlgoRSA}
case CertAlgoRSAv01:
	return []string{CertAlgoRSASHA512v01, CertAlgoRSASHA256v01, CertAlgoRSAv01}

This aligns Go's SSH behavior with OpenSSH while remaining fully backward compatible.

[gabyhelp]

Related Issues

• x/crypto: crypto/ssh still uses insecure SHA1 by default, OpenSSH ending support soon #48216 (closed)
• x/crypto/ssh: MAC orders #61138 (closed)
• proposal: x/crypto/ssh: add a way to see pubkey signature algorithm #73847 (closed)
• x/crypto/ssh: support RSA SHA-2 host key signatures #37278 (closed)
• x/crypto/ssh: add MultiAlgorithmSigner #52132 (closed)
• x/crypto/ssh: Support sha-2 family hash algorithms for key exchange (RFC 8268) #31731 (closed)
• proposal: x/crypto/ssh: add support for "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature algorithm #69999
• crypto/tls: disable SHA-1 signature algorithms in TLS 1.2 #72883 (closed)
• x/crypto/ssh: make it possible to disable SHA-1 algorithms #56561
• x/crypto/ssh: allow to configure public key authentication algorithms on the server side #61244 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[FiloSottile]

What's the benefit of negotiating rsa-sha2-512 over rsa-sha2-256?

/cc @drakkan

[drakkan]

We chose rsa-sha2-256 over rsa-sha2-512 as a balanced compromise between performance and security. Would this create any issues for your use case that we should be aware of?

[lonnywong]

@drakkan When using the SSH agent provided by Bitwarden, there is a related bug: bitwarden/clients#16681

However, OpenSSH does not trigger this issue because it prioritizes rsa-sha2-512. See also: trzsz/trzsz-ssh#208

Benchmark results show that the performance difference between rsa-sha2-512 and rsa-sha2-256 is not significant.

Given this, would it be better to align with OpenSSH and prioritize rsa-sha2-512 by default?

import (
	"crypto/rand"
	"crypto/rsa"
	"testing"

	"golang.org/x/crypto/ssh"
)

const kPayloadSize = 506

func benchmarkRSA(b *testing.B, algo string) {
	key, err := rsa.GenerateKey(rand.Reader, 4096)
	if err != nil {
		b.Fatal(err)
	}

	signer, err := ssh.NewSignerFromKey(key)
	if err != nil {
		b.Fatal(err)
	}

	algoSigner := signer.(ssh.AlgorithmSigner)

	data := make([]byte, kPayloadSize)
	rand.Read(data)

	b.ResetTimer()

	for i := 0; i < b.N; i++ {
		_, err := algoSigner.SignWithAlgorithm(rand.Reader, data, algo)
		if err != nil {
			b.Fatal(err)
		}
	}
}

func BenchmarkKeyAlgoRSASHA256(b *testing.B) {
	benchmarkRSA(b, ssh.KeyAlgoRSASHA256)
}

func BenchmarkKeyAlgoRSASHA512(b *testing.B) {
	benchmarkRSA(b, ssh.KeyAlgoRSASHA512)
}

goos: darwin
goarch: arm64
pkg: example.com/m
cpu: Apple M1 Pro
BenchmarkKeyAlgoRSASHA256-10    	     204	   5878036 ns/op
BenchmarkKeyAlgoRSASHA512-10    	     204	   5897017 ns/op
PASS
ok  	example.com/m	7.286s

goos: linux
goarch: amd64
pkg: example.com/m
cpu: Intel(R) Xeon(R) Gold 6231C CPU @ 3.20GHz
BenchmarkKeyAlgoRSASHA256-32    	     156	   7782881 ns/op
BenchmarkKeyAlgoRSASHA512-32    	     152	   7885840 ns/op
PASS
ok  	example.com/m	9.848s

[drakkan]

@lonnywong Thank you for the additional information and for sharing the benchmark results. I translated trzsz-ssh issue from Chinese, so it’s possible I may have misunderstood some parts. If I understand correctly, the issue was resolved by adding the Algorithms() []string method to your custom Signer, effectively upgrading it to a MultiAlgorithmSigner and thereby enabling explicit algorithms selection and ordering.

Is that correct? If not, could you please provide a small standalone reproducer to help clarify the issue? When using a MultiAlgorithmSigner, it should be possible to configure different preferred algorithms.

[lonnywong]

@drakkan If tssh were to implement the Algorithms() []string method, it would need to handle not only RSA but all other keys as well. It wouldn’t be sufficient to implement Algorithms() for RSA alone.

In practice, this would mean that tssh would have to copy logic such as algorithmsForKeyFormat(underlyingAlgo(keyFormat)) from x/crypto/ssh:

// certKeyAlgoNames is a mapping from known certificate algorithm names to the
// corresponding public key signature algorithm.
//
// This map must be kept in sync with the one in agent/client.go.
var certKeyAlgoNames = map[string]string{
	CertAlgoRSAv01:         KeyAlgoRSA,
	CertAlgoRSASHA256v01:   KeyAlgoRSASHA256,
	CertAlgoRSASHA512v01:   KeyAlgoRSASHA512,
	InsecureCertAlgoDSAv01: InsecureKeyAlgoDSA,
	CertAlgoECDSA256v01:    KeyAlgoECDSA256,
	CertAlgoECDSA384v01:    KeyAlgoECDSA384,
	CertAlgoECDSA521v01:    KeyAlgoECDSA521,
	CertAlgoSKECDSA256v01:  KeyAlgoSKECDSA256,
	CertAlgoED25519v01:     KeyAlgoED25519,
	CertAlgoSKED25519v01:   KeyAlgoSKED25519,
}

// underlyingAlgo returns the signature algorithm associated with algo (which is
// an advertised or negotiated public key or host key algorithm). These are
// usually the same, except for certificate algorithms.
func underlyingAlgo(algo string) string {
	if a, ok := certKeyAlgoNames[algo]; ok {
		return a
	}
	return algo
}

The problem is that when x/crypto/ssh adds support for new keys in the future, tssh would not be able to pick them up simply by upgrading the dependency. Instead, tssh would need to continuously track upstream changes and manually keep its implementation in sync.

I think a better approach would be for x/crypto/ssh itself to align with OpenSSH.

[lonnywong]

@drakkan If I implement the Algorithms() []string method and place rsa-sha2-512 before rsa-sha2-256, the following code will still reorder the preference and prioritize rsa-sha2-256:

func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiAlgorithmSigner, string, error) {
	// ...

	// Filter algorithms based on those supported by MultiAlgorithmSigner.
	var keyAlgos []string
	for _, algo := range algorithmsForKeyFormat(keyFormat) {
		if slices.Contains(as.Algorithms(), underlyingAlgo(algo)) {
			keyAlgos = append(keyAlgos, algo)
		}
	}

	algo, err := findCommon("public key signature algorithm", keyAlgos, serverAlgos, true)

	// ...
	return as, algo, nil
}

This happens because keyAlgos is constructed in the order returned by algorithmsForKeyFormat(keyFormat), not in the order returned by Algorithms(). As a result, even if Algorithms() prefers rsa-sha2-512, the final negotiation will still prefer rsa-sha2-256 if it appears first in algorithmsForKeyFormat.

Therefore, changing the order in Algorithms() alone does not affect the actual algorithm preference during negotiation.

[gopherbot]

Change https://go.dev/cl/746020 mentions this issue: ssh: respect signer's algorithm preference in pickSignatureAlgorithm

[drakkan]

@drakkan If I implement the Algorithms() []string method and place rsa-sha2-512 before rsa-sha2-256, the following code will still reorder the preference and prioritize rsa-sha2-256

This is a bug, thank you for reporting it. The linked CL should fix it.

[lonnywong]

Hi @FiloSottile , could you please review this change when you have a moment?

https://go.dev/cl/746020