Allow RSA with SHA-2 signatures to be used on Windows

ronf · ronf · commit 32e1c9322c44 · 2026-03-14T09:14:05.000-07:00
This commit removes a guard which prevented RSA with SHA-2 signatures
from being used on Windows, since older versions of both OpenSSH's
ssh-agent and the Pageant agent didn't support this when AsyncSSH first
added this support.

Now that SHA-2 support has eben around in Windows SSH for several years
and many implementations disable SHA-1 by default, this guard is doing
more harm than good.

Thanks go to GitHub user Netzvamp for reporting this!
diff --git a/asyncssh/agent.py b/asyncssh/agent.py
@@ -121,9 +121,7 @@ def __init__(self, agent: 'SSHAgentClient', algorithm: bytes,
         else:
             sig_algorithm = algorithm
 
-        # Neither Pageant nor the Win10 OpenSSH agent seems to support the
-        # ssh-agent protocol flags used to request RSA SHA2 signatures yet
-        if sig_algorithm == b'ssh-rsa' and sys.platform != 'win32':
+        if sig_algorithm == b'ssh-rsa':
             sig_algorithms: Sequence[bytes] = \
                 (b'rsa-sha2-256', b'rsa-sha2-512', b'ssh-rsa')
         else:
