diff --git a/phpseclib/Net/SSH2.php b/phpseclib/Net/SSH2.php index d8e37357..03b50f62 100644 --- a/phpseclib/Net/SSH2.php +++ b/phpseclib/Net/SSH2.php @@ -273,6 +273,18 @@ class SSH2 */ var $server_host_key_algorithms = false; + /** + * Supported Private Key Algorithms + * + * In theory this should be the same as the Server Host Key Algorithms but, in practice, + * some servers (eg. Azure) will support rsa-sha2-512 as a server host key algorithm but + * not a private key algorithm + * + * @see self::privatekey_login() + * @var array|false + */ + var $supported_private_key_algorithms = false; + /** * Encryption Algorithms: Client to Server * @@ -1552,6 +1564,8 @@ class SSH2 $temp = unpack('Nlength', $this->_string_shift($response, 4)); $this->server_host_key_algorithms = explode(',', $this->_string_shift($response, $temp['length'])); + $this->supported_private_key_algorithms = $this->server_host_key_algorithms; + if (strlen($response) < 4) { return false; } @@ -2731,7 +2745,13 @@ class SSH2 $publickey['n'] ); - switch ($this->signature_format) { + $algos = ['rsa-sha2-256', 'rsa-sha2-512', 'ssh-rsa']; + if (isset($this->preferred['hostkey'])) { + $algos = array_intersect($this->preferred['hostkey'], $algos); + } + $algo = $this->_array_intersect_first($algos, $this->supported_private_key_algorithms); + + switch ($algo) { case 'rsa-sha2-512': $hash = 'sha512'; $signatureType = 'rsa-sha2-512'; @@ -2781,7 +2801,12 @@ class SSH2 return false; } extract(unpack('Nmethodlistlen', $this->_string_shift($response, 4))); - $this->auth_methods_to_continue = explode(',', $this->_string_shift($response, $methodlistlen)); + $auth_methods = explode(',', $this->_string_shift($response, $methodlistlen)); + if (in_array('publickey', $auth_methods) && substr($signatureType, 0, 9) == 'rsa-sha2-') { + $this->supported_private_key_algorithms = array_diff($this->supported_private_key_algorithms, array('rsa-sha2-256', 'rsa-sha2-512')); + return $this->_privatekey_login($username, $privatekey); + } + $this->auth_methods_to_continue = $auth_methods; $this->errors[] = 'SSH_MSG_USERAUTH_FAILURE'; return false; case NET_SSH2_MSG_USERAUTH_PK_OK: