OpenSSH migrated the ssh-rsa key type, which historically used the ssh-rsa signature algorithm based on SHA-1, to the new rsa-sha2-256 and rsa-sha2-512 signature algorithms.

x/crypto/ssh was not ready for the key type / signature algorithm mismatch, so it needs a few changes. Moreover, OpenSSH implemented a few mechanisms at the same time to enable the rollout, which we need to assess and expose.

This is a tracking issue for the effort in general. Here's a list of not-duplicate related issues:

• x/crypto/ssh: support RSA SHA-2 host key signatures #37278
  • Fixed by https://golang.org/cl/220037
• x/crypto/ssh: server does not accept rsa-sha2-256 and rsa-sha2-512 signatures #46569
• x/crypto/ssh: support for server-sig-algs extension (RFC8308) #49269
• x/crypto/ssh: publicKeyCallback cannot handshake using ssh-rsa keys signed using the ssh-rsa-sha2-256 algorithm #39885
• x/crypto/ssh: Consider relaxing public key and signature matching for RSA keys in SSH_MSG_USERAUTH_REQUEST #53391
• x/crypto/ssh: cannot sign certificate with different algorithm #36261
  • x/crypto/ssh: add MultiAlgorithmSigner #52132

We'll also need some tests against OpenSSH proper, like the crypto/tls recorded tests against OpenSSL, since https://golang.org/cl/220037 turned out to be a partial fix.