Authenticate with ssh-rsa by default (#1283)

Rob-Hague · web-flow · commit 2b53e462dd77 · 2023-12-28T20:55:07.000+01:00
diff --git a/src/Renci.SshNet/PrivateKeyFile.cs b/src/Renci.SshNet/PrivateKeyFile.cs
@@ -250,11 +250,11 @@ private void Open(Stream privateKey, string passPhrase)
                 case "RSA":
                     var rsaKey = new RsaKey(decryptedData);
                     _key = rsaKey;
+                    _hostAlgorithms.Add(new KeyHostAlgorithm("ssh-rsa", _key));
 #pragma warning disable CA2000 // Dispose objects before losing scope
                     _hostAlgorithms.Add(new KeyHostAlgorithm("rsa-sha2-512", _key, new RsaDigitalSignature(rsaKey, HashAlgorithmName.SHA512)));
                     _hostAlgorithms.Add(new KeyHostAlgorithm("rsa-sha2-256", _key, new RsaDigitalSignature(rsaKey, HashAlgorithmName.SHA256)));
 #pragma warning restore CA2000 // Dispose objects before losing scope
-                    _hostAlgorithms.Add(new KeyHostAlgorithm("ssh-rsa", _key));
                     break;
                 case "DSA":
                     _key = new DsaKey(decryptedData);
@@ -268,11 +268,11 @@ private void Open(Stream privateKey, string passPhrase)
                     _key = ParseOpenSshV1Key(decryptedData, passPhrase);
                     if (_key is RsaKey parsedRsaKey)
                     {
+                        _hostAlgorithms.Add(new KeyHostAlgorithm("ssh-rsa", _key));
 #pragma warning disable CA2000 // Dispose objects before losing scope
                         _hostAlgorithms.Add(new KeyHostAlgorithm("rsa-sha2-512", _key, new RsaDigitalSignature(parsedRsaKey, HashAlgorithmName.SHA512)));
                         _hostAlgorithms.Add(new KeyHostAlgorithm("rsa-sha2-256", _key, new RsaDigitalSignature(parsedRsaKey, HashAlgorithmName.SHA256)));
 #pragma warning restore CA2000 // Dispose objects before losing scope
-                        _hostAlgorithms.Add(new KeyHostAlgorithm("ssh-rsa", _key));
                     }
                     else
                     {
@@ -337,11 +337,11 @@ private void Open(Stream privateKey, string passPhrase)
                         var p = reader.ReadBigIntWithBits(); // q
                         var decryptedRsaKey = new RsaKey(modulus, exponent, d, p, q, inverseQ);
                         _key = decryptedRsaKey;
+                        _hostAlgorithms.Add(new KeyHostAlgorithm("ssh-rsa", _key));
 #pragma warning disable CA2000 // Dispose objects before losing scope
                         _hostAlgorithms.Add(new KeyHostAlgorithm("rsa-sha2-512", _key, new RsaDigitalSignature(decryptedRsaKey, HashAlgorithmName.SHA512)));
                         _hostAlgorithms.Add(new KeyHostAlgorithm("rsa-sha2-256", _key, new RsaDigitalSignature(decryptedRsaKey, HashAlgorithmName.SHA256)));
 #pragma warning restore CA2000 // Dispose objects before losing scope
-                        _hostAlgorithms.Add(new KeyHostAlgorithm("ssh-rsa", _key));
                     }
                     else if (keyType == "dl-modp{sign{dsa-nist-sha1},dh{plain}}")
                     {
diff --git a/test/Renci.SshNet.Tests/Classes/Common/HostKeyEventArgsTest.cs b/test/Renci.SshNet.Tests/Classes/Common/HostKeyEventArgsTest.cs
@@ -88,7 +88,7 @@ private static KeyHostAlgorithm GetKeyHostAlgorithm()
             using (var s = GetData("Key.RSA.txt"))
             {
                 var privateKey = new PrivateKeyFile(s);
-                return (KeyHostAlgorithm)privateKey.HostKeyAlgorithms.First();
+                return (KeyHostAlgorithm)privateKey.HostKeyAlgorithms.Single(x => x.Name == "rsa-sha2-512");
             }
         }
 
diff --git a/test/Renci.SshNet.Tests/Classes/PrivateKeyFileTest.cs b/test/Renci.SshNet.Tests/Classes/PrivateKeyFileTest.cs
@@ -687,9 +687,11 @@ private static void TestRsaKeyFile(PrivateKeyFile rsaPrivateKeyFile)
 
             var algorithms = rsaPrivateKeyFile.HostKeyAlgorithms.ToList();
 
-            Assert.AreEqual("rsa-sha2-512", algorithms[0].Name);
-            Assert.AreEqual("rsa-sha2-256", algorithms[1].Name);
-            Assert.AreEqual("ssh-rsa", algorithms[2].Name);
+            // ssh-rsa should be attempted first during authentication by default.
+            // See https://github.com/sshnet/SSH.NET/issues/1233#issuecomment-1871196405
+            Assert.AreEqual("ssh-rsa", algorithms[0].Name);
+            Assert.AreEqual("rsa-sha2-512", algorithms[1].Name);
+            Assert.AreEqual("rsa-sha2-256", algorithms[2].Name);
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ private static KeyHostAlgorithm GetKeyHostAlgorithm()`
`88`	`88`	`using (var s = GetData("Key.RSA.txt"))`
`89`	`89`	`{`
`90`	`90`	`var privateKey = new PrivateKeyFile(s);`
`91`		`- return (KeyHostAlgorithm)privateKey.HostKeyAlgorithms.First();`
	`91`	`+ return (KeyHostAlgorithm)privateKey.HostKeyAlgorithms.Single(x => x.Name == "rsa-sha2-512");`
`92`	`92`	`}`
`93`	`93`	`}`
`94`	`94`
Original file line number	Diff line number	Diff line change
`@@ -687,9 +687,11 @@ private static void TestRsaKeyFile(PrivateKeyFile rsaPrivateKeyFile)`
`687`	`687`
`688`	`688`	`var algorithms = rsaPrivateKeyFile.HostKeyAlgorithms.ToList();`
`689`	`689`
`690`		`- Assert.AreEqual("rsa-sha2-512", algorithms[0].Name);`
`691`		`- Assert.AreEqual("rsa-sha2-256", algorithms[1].Name);`
`692`		`- Assert.AreEqual("ssh-rsa", algorithms[2].Name);`
	`690`	`+ // ssh-rsa should be attempted first during authentication by default.`
	`691`	`+ // See https://github.com/sshnet/SSH.NET/issues/1233#issuecomment-1871196405`
	`692`	`+ Assert.AreEqual("ssh-rsa", algorithms[0].Name);`
	`693`	`+ Assert.AreEqual("rsa-sha2-512", algorithms[1].Name);`
	`694`	`+ Assert.AreEqual("rsa-sha2-256", algorithms[2].Name);`
`693`	`695`	`}`
`694`	`696`	`}`
`695`	`697`	`}`