Add ca_signing_algo to the config file

This allows users to override the SHA2 signing algorithms we default to
now for compatibility with the (very) old OpenSSH versions.

For host and user certs, use the CA signing algo for their own
handshakes. This allows us to propagate the signing algo from auth
server everywhere else.

Author: Andrew Lytvynov

Diff for: lib/auth/init.go

@@ -772,7 +772,7 @@ func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byt
 	return identity, nil
 }
 
-// ReadSSHIdentityFromKeyPair reads identity from initialized keypair
+// ReadSSHIdentityFromKeyPair reads identity from initialized keypair.
 func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error) {
 	if len(keyBytes) == 0 {
 		return nil, trace.BadParameter("PrivateKey: missing private key")
@@ -796,7 +796,10 @@ func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error) {
 	if err != nil {
 		return nil, trace.BadParameter("failed to parse private key: %v", err)
 	}
-	signer = sshutils.CompatSigner(signer)
+	// Inherit the cert signature algorithm from CA signature.
+	// Whatever auth server decided to use for SSH cert signing should be used
+	// by the resulting certs for signing.
+	signer = sshutils.AlgSigner(signer, cert.Signature.Format)
 	// this signer authenticates using certificate signed by the cert authority
 	// not only by the public key
 	certSigner, err := ssh.NewCertSigner(cert, signer)

Diff for: lib/auth/native/native.go

@@ -61,6 +61,8 @@ type Keygen struct {
 	cancel          context.CancelFunc
 	precomputeCount int
 
+	caSignatureAlg string
+
 	// clock is used to control time.
 	clock clockwork.Clock
 }
@@ -85,6 +87,14 @@ func PrecomputeKeys(count int) KeygenOption {
 	}
 }
 
+// SetCASignatureAlg overrides the signature algorithm for SSH certificates.
+func SetCASignatureAlg(alg string) KeygenOption {
+	return func(k *Keygen) error {
+		k.caSignatureAlg = alg
+		return nil
+	}
+}
+
 // New returns a new key generator.
 func New(ctx context.Context, opts ...KeygenOption) (*Keygen, error) {
 	ctx, cancel := context.WithCancel(ctx)
@@ -194,7 +204,7 @@ func (k *Keygen) GenerateHostCert(c services.HostCertParams) ([]byte, error) {
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	signer = sshutils.CompatSigner(signer)
+	signer = sshutils.AlgSigner(signer, k.caSignatureAlg)
 
 	// Build a valid list of principals from the HostID and NodeName and then
 	// add in any additional principals passed in.
@@ -306,7 +316,7 @@ func (k *Keygen) GenerateUserCert(c services.UserCertParams) ([]byte, error) {
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	signer = sshutils.CompatSigner(signer)
+	signer = sshutils.AlgSigner(signer, k.caSignatureAlg)
 	if err := cert.SignCert(rand.Reader, signer); err != nil {
 		return nil, trace.Wrap(err)
 	}

Diff for: lib/auth/native/native_test.go

@@ -47,7 +47,12 @@ func (s *NativeSuite) SetUpSuite(c *check.C) {
 
 	fakeClock := clockwork.NewFakeClockAt(time.Date(2016, 9, 8, 7, 6, 5, 0, time.UTC))
 
-	a, err := New(context.TODO(), PrecomputeKeys(1), SetClock(fakeClock))
+	a, err := New(
+		context.TODO(),
+		PrecomputeKeys(1),
+		SetClock(fakeClock),
+		SetCASignatureAlg(ssh.SigAlgoRSASHA2256),
+	)
 	c.Assert(err, check.IsNil)
 
 	s.suite = &test.AuthSuite{
@@ -230,7 +235,8 @@ func (s *NativeSuite) TestUserCertCompatibility(c *check.C) {
 
 		userCertificate, ok := publicKey.(*ssh.Certificate)
 		c.Assert(ok, check.Equals, true, comment)
-
+		// Check that the signature algorithm is correct.
+		c.Assert(userCertificate.Signature.Format, check.Equals, s.suite.A.(*Keygen).caSignatureAlg)
 		// check if we added the roles extension
 		_, ok = userCertificate.Extensions[teleport.CertExtensionTeleportRoles]
 		c.Assert(ok, check.Equals, tt.outHasRoles, comment)

Diff for: lib/auth/rotate.go

@@ -24,7 +24,6 @@ import (
 	"github.com/gravitational/teleport/lib/auth/native"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/services"
-	"github.com/gravitational/teleport/lib/sshutils"
 	"github.com/gravitational/teleport/lib/tlsca"
 
 	"github.com/gravitational/trace"
@@ -479,7 +478,6 @@ func startNewRotation(req rotationReq, ca services.CertAuthority) error {
 		if err != nil {
 			return trace.Wrap(err)
 		}
-		signer = sshutils.CompatSigner(signer)
 
 		sshPubPEM = ssh.MarshalAuthorizedKey(signer.PublicKey())
 		sshPrivPEM = req.privateKey

Diff for: lib/client/interfaces.go

@@ -246,7 +246,10 @@ func (k *Key) AsAuthMethod() (ssh.AuthMethod, error) {
 	if signer, err = ssh.NewCertSigner(keys[0].Certificate, signer); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	signer = sshutils.CompatSigner(signer)
+	// Inherit the cert signature algorithm from CA signature.
+	// Whatever auth server decided to use for SSH cert signing should be used
+	// by the resulting certs for signing.
+	signer = sshutils.AlgSigner(signer, keys[0].Certificate.Signature.Format)
 	return NewAuthMethodForCert(signer), nil
 }
 

Diff for: lib/config/configuration.go

@@ -287,6 +287,9 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
 	if fc.MACAlgorithms != nil {
 		cfg.MACAlgorithms = fc.MACAlgorithms
 	}
+	if fc.CASignatureAlgorithm != "" {
+		cfg.CASignatureAlgorithm = fc.CASignatureAlgorithm
+	}
 
 	// Read in how nodes will validate the CA.
 	if fc.CAPin != "" {

Diff for: lib/config/configuration_test.go

@@ -329,19 +329,19 @@ func (s *ConfigTestSuite) TestTrustedClusters(c *check.C) {
 // TestFileConfigCheck makes sure we don't start with invalid settings.
 func (s *ConfigTestSuite) TestFileConfigCheck(c *check.C) {
 	tests := []struct {
-		inConfigString string
-		outError       bool
+		desc     string
+		inConfig string
+		outError bool
 	}{
-		// 0 - all defaults, valid
 		{
-			`
+			desc: "all defaults, valid",
+			inConfig: `
 teleport:
 `,
-			false,
 		},
-		// 1 - invalid cipher, not valid
 		{
-			`
+			desc: "invalid cipher, not valid",
+			inConfig: `
 teleport:
   ciphers:
     - aes256-ctr
@@ -351,15 +351,29 @@ teleport:
   mac_algos:
     - [email protected]
 `,
-			true,
+			outError: true,
+		},
+		{
+			desc: "change CA signature alg, valid",
+			inConfig: `
+teleport:
+  ca_signature_algo: ssh-rsa
+`,
+		},
+		{
+			desc: "invalid CA signature alg, not valid",
+			inConfig: `
+teleport:
+  ca_signature_algo: foobar
+`,
+			outError: true,
 		},
 	}
 
-	// run tests
-	for i, tt := range tests {
-		comment := check.Commentf("Test %v", i)
+	for _, tt := range tests {
+		comment := check.Commentf(tt.desc)
 
-		_, err := ReadConfig(bytes.NewBufferString(tt.inConfigString))
+		_, err := ReadConfig(bytes.NewBufferString(tt.inConfig))
 		if tt.outError {
 			c.Assert(err, check.NotNil, comment)
 		} else {

Diff for: lib/config/fileconf.go

@@ -138,6 +138,7 @@ var (
 		"ciphers":                 false,
 		"kex_algos":               false,
 		"mac_algos":               false,
+		"ca_signature_algo":       false,
 		"connector_name":          false,
 		"session_recording":       false,
 		"read_capacity_units":     false,
@@ -164,6 +165,12 @@ var (
 	}
 )
 
+var validCASigAlgos = []string{
+	ssh.SigAlgoRSA,
+	ssh.SigAlgoRSASHA2256,
+	ssh.SigAlgoRSASHA2512,
+}
+
 // FileConfig structre represents the teleport configuration stored in a config file
 // in YAML format (usually /etc/teleport.yaml)
 //
@@ -329,19 +336,22 @@ func (conf *FileConfig) Check() error {
 
 	for _, c := range conf.Ciphers {
 		if !utils.SliceContainsStr(sc.Ciphers, c) {
-			return trace.BadParameter("cipher %q not supported", c)
+			return trace.BadParameter("cipher algorithm %q is not supported; supported algorithms: %q", c, sc.Ciphers)
 		}
 	}
 	for _, k := range conf.KEXAlgorithms {
 		if !utils.SliceContainsStr(sc.KeyExchanges, k) {
-			return trace.BadParameter("KEX %q not supported", k)
+			return trace.BadParameter("KEX algorithm %q is not supported; supported algorithms: %q", k, sc.KeyExchanges)
 		}
 	}
 	for _, m := range conf.MACAlgorithms {
 		if !utils.SliceContainsStr(sc.MACs, m) {
-			return trace.BadParameter("MAC %q not supported", m)
+			return trace.BadParameter("MAC algorithm %q is not supported; supported algorithms: %q", m, sc.MACs)
 		}
 	}
+	if conf.CASignatureAlgorithm != "" && !utils.SliceContainsStr(validCASigAlgos, conf.CASignatureAlgorithm) {
+		return trace.BadParameter("CA signature algorithm %q is not supported; supported algorithms: %q", conf.CASignatureAlgorithm, validCASigAlgos)
+	}
 
 	return nil
 }
@@ -399,6 +409,11 @@ type Global struct {
 	// the server supports. If omitted the defaults will be used.
 	MACAlgorithms []string `yaml:"mac_algos,omitempty"`
 
+	// CASignatureAlgorithm is an SSH Certificate Authority (CA) signature
+	// algorithm that the server uses for signing user and host certificates.
+	// If omitted, the default will be used.
+	CASignatureAlgorithm string `yaml:"ca_signature_algo,omitempty"`
+
 	// CAPin is the SKPI hash of the CA used to verify the Auth Server.
 	CAPin string `yaml:"ca_pin"`
 }

Diff for: lib/reversetunnel/cache.go

@@ -155,7 +155,6 @@ func (c *certificateCache) generateHostCert(principals []string) (ssh.Signer, er
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	privateKey = sshutils.CompatSigner(privateKey)
 	publicKey, _, _, _, err := ssh.ParseAuthorizedKey(certBytes)
 	if err != nil {
 		return nil, err
@@ -164,6 +163,10 @@ func (c *certificateCache) generateHostCert(principals []string) (ssh.Signer, er
 	if !ok {
 		return nil, trace.BadParameter("not a certificate")
 	}
+	// Inherit the cert signature algorithm from CA signature.
+	// Whatever auth server decided to use for SSH cert signing should be used
+	// by the resulting certs for signing.
+	privateKey = sshutils.AlgSigner(privateKey, cert.Signature.Format)
 
 	// return a ssh.Signer
 	s, err := ssh.NewCertSigner(cert, privateKey)

Diff for: lib/service/cfg.go

@@ -141,6 +141,11 @@ type Config struct {
 	// the server supports. If omitted the defaults will be used.
 	MACAlgorithms []string
 
+	// CASignatureAlgorithm is an SSH Certificate Authority (CA) signature
+	// algorithm that the server uses for signing user and host certificates.
+	// If omitted, the default will be used.
+	CASignatureAlgorithm string
+
 	// DiagnosticAddr is an address for diagnostic and healthz endpoint service
 	DiagnosticAddr utils.NetAddr
 
@@ -479,6 +484,7 @@ func ApplyDefaults(cfg *Config) {
 	cfg.Ciphers = sc.Ciphers
 	cfg.KEXAlgorithms = kex
 	cfg.MACAlgorithms = macs
+	cfg.CASignatureAlgorithm = ssh.SigAlgoRSASHA2512
 
 	// Auth service defaults.
 	cfg.Auth.Enabled = true

Diff for: lib/service/cfg_test.go

@@ -23,6 +23,7 @@ import (
 	"github.com/gravitational/teleport/lib/backend/lite"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/utils"
+	"golang.org/x/crypto/ssh"
 
 	"gopkg.in/check.v1"
 )
@@ -56,6 +57,29 @@ func (s *ConfigSuite) TestDefaultConfig(c *check.C) {
 		c.Error("default hostname wasn't properly set")
 	}
 
+	// crypto settings
+	c.Assert(config.CipherSuites, check.DeepEquals, utils.DefaultCipherSuites())
+	// Unfortunately the below algos don't have exported constants in
+	// golang.org/x/crypto/ssh for us to use.
+	c.Assert(config.Ciphers, check.DeepEquals, []string{
+		"[email protected]",
+		"[email protected]",
+		"aes128-ctr",
+		"aes192-ctr",
+		"aes256-ctr",
+	})
+	c.Assert(config.KEXAlgorithms, check.DeepEquals, []string{
+		"[email protected]",
+		"ecdh-sha2-nistp256",
+		"ecdh-sha2-nistp384",
+		"ecdh-sha2-nistp521",
+	})
+	c.Assert(config.MACAlgorithms, check.DeepEquals, []string{
+		"[email protected]",
+		"hmac-sha2-256",
+	})
+	c.Assert(config.CASignatureAlgorithm, check.Equals, ssh.SigAlgoRSASHA2512)
+
 	// auth section
 	auth := config.Auth
 	c.Assert(auth.SSHAddr, check.DeepEquals, localAuthAddr)

Diff for: lib/service/service.go

@@ -625,7 +625,10 @@ func NewTeleport(cfg *Config) (*TeleportProcess, error) {
 			precomputeCount = 0
 		}
 		var err error
-		cfg.Keygen, err = native.New(process.ExitContext(), native.PrecomputeKeys(precomputeCount))
+		cfg.Keygen, err = native.New(process.ExitContext(),
+			native.PrecomputeKeys(precomputeCount),
+			native.SetCASignatureAlg(cfg.CASignatureAlgorithm),
+		)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}

Diff for: lib/services/authority.go

@@ -202,7 +202,7 @@ type CertAuthority interface {
 	// Checkers returns public keys that can be used to check cert authorities
 	Checkers() ([]ssh.PublicKey, error)
 	// Signers returns a list of signers that could be used to sign keys
-	Signers() ([]ssh.Signer, error)
+	Signers(alg string) ([]ssh.Signer, error)
 	// V1 returns V1 version of the resource
 	V1() *CertAuthorityV1
 	// V2 returns V2 version of the resource
@@ -546,15 +546,17 @@ func (ca *CertAuthorityV2) Checkers() ([]ssh.PublicKey, error) {
 	return out, nil
 }
 
-// Signers returns a list of signers that could be used to sign keys
-func (ca *CertAuthorityV2) Signers() ([]ssh.Signer, error) {
+// Signers returns a list of signers that could be used to sign keys.
+//
+// The optional alg flag can be used to override the signature algorithm.
+func (ca *CertAuthorityV2) Signers(alg string) ([]ssh.Signer, error) {
 	out := make([]ssh.Signer, 0, len(ca.Spec.SigningKeys))
 	for _, keyBytes := range ca.Spec.SigningKeys {
 		signer, err := ssh.ParsePrivateKey(keyBytes)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		signer = sshutils.CompatSigner(signer)
+		signer = sshutils.AlgSigner(signer, alg)
 		out = append(out, signer)
 	}
 	return out, nil
@@ -570,7 +572,7 @@ func (ca *CertAuthorityV2) Check() error {
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	_, err = ca.Signers()
+	_, err = ca.Signers("")
 	if err != nil {
 		return trace.Wrap(err)
 	}

Diff for: lib/sshutils/fingerprint.go

@@ -27,6 +27,5 @@ func PrivateKeyFingerprint(keyBytes []byte) (string, error) {
 	if err != nil {
 		return "", trace.Wrap(err)
 	}
-	signer = CompatSigner(signer)
 	return Fingerprint(signer.PublicKey()), nil
 }