From 2873af822161924168e8cea72fd670aacfb459f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?=
 <stephane.lesimple+bastion@ovhcloud.com>
Date: Fri, 8 Aug 2025 13:47:53 +0000
Subject: [PATCH] fix: supported key algorithms detection for OpenSSH >= 10

---
 lib/perl/OVH/Bastion/ssh.inc | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/lib/perl/OVH/Bastion/ssh.inc b/lib/perl/OVH/Bastion/ssh.inc
index cccb286..270a533 100644
--- a/lib/perl/OVH/Bastion/ssh.inc
+++ b/lib/perl/OVH/Bastion/ssh.inc
@@ -3,6 +3,7 @@ package OVH::Bastion;
 
 use common::sense;
 
+use List::Util qw{ first };
 use File::Temp;
 use Fcntl qw{ :mode :DEFAULT };
 
@@ -621,26 +622,23 @@ sub get_supported_ssh_algorithms_list {
     $fnret or return $fnret;
     my @allowedList = @{$fnret->value};
 
-    # other vary, detect this by running openssh client -V
+    # then detect using ssh -Q key
     my @supportedList;
     if (@cached_runtime_list) {
         @supportedList = @cached_runtime_list;
     }
     else {
-        push @supportedList, 'rsa';    # rsa is always supported
-        $fnret = OVH::Bastion::execute(cmd => [qw{ ssh -V }]);
+        $fnret = OVH::Bastion::execute(cmd => [qw{ ssh -Q key }]);
         if ($fnret) {
-            foreach (@{$fnret->value->{'stdout'} || []}, @{$fnret->value->{'stderr'} || []}) {
-                if (/OpenSSH_(\d+\.\d+)/) {
-                    my $version = $1;
-                    push @supportedList, 'ecdsa'      if ($version gt "5.7");
-                    push @supportedList, 'ed25519'    if ($version gt "6.5");
-                    push @supportedList, 'ecdsa-sk'   if ($version gt "8.2");
-                    push @supportedList, 'ed25519-sk' if ($version gt "8.2");
-                    @cached_runtime_list = @supportedList;
-                    last;
-                }
-            }
+            my @algos = @{$fnret->value->{'stdout'} || []};
+            push @supportedList, 'rsa'     if first { $_ eq 'ssh-rsa' } @algos;
+            push @supportedList, 'ecdsa'   if first { /^ecdsa-sha2-nistp/ } @algos;
+            push @supportedList, 'ed25519' if first { $_ eq 'ssh-ed25519' } @algos;
+            @cached_runtime_list = @supportedList;
+        }
+        else {
+            warn_syslog("Couldn't determine the supported algorithms for pubkeys, using ssh -Q key");
+            return R('ERR_NO_ALGORITHMS', msg => "Couldn't determine the supported SSH algorithms");
         }
     }