Work around key algorithm naming change in OpenSSH <= 7.7.

When you send a "publickey" USERAUTH_REQUEST containing a certified
RSA key, and you want to use a SHA-2 based RSA algorithm, modern
OpenSSH expects you to send the algorithm string as
rsa-sha2-NNN-cert-v01@openssh.com. But 7.7 and earlier didn't
recognise those names, and expected the algorithm string in the
userauth request packet to be ssh-rsa-cert-v01@... and would then
follow it with an rsa-sha2-NNN signature.

OpenSSH itself has a bug workaround for its own older versions. Follow
suit.

ssh/verstring.c

@@ -612,6 +612,28 @@ static void ssh_detect_bugs(struct ssh_verstring_state *s)
         bpp_logevent("We believe remote version requires us to "
                      "filter our KEXINIT");
     }
+
+    if (conf_get_int(s->conf, CONF_sshbug_rsa_sha2_cert_userauth) == FORCE_ON ||
+        (conf_get_int(s->conf, CONF_sshbug_rsa_sha2_cert_userauth) == AUTO &&
+         (wc_match("OpenSSH_7.[2-7]*", imp)))) {
+        /*
+         * These versions have the bug in which using RSA/SHA-2
+         * authentication with a certified key requires the key
+         * algorithm to be sent as ssh-rsa-cert-... instead of
+         * rsa-sha2-NNN-cert-...
+         *
+         * OpenSSH 7.8 wants rsa-sha2-NNN-cert-...:
+         * https://github.com/openssh/openssh-portable/commit/4ba0d54794814ec0de1ec87987d0c3b89379b436
+         * (also labelled "OpenBSD-Commit-ID:
+         * c6e9f6d45eed8962ad502d315d7eaef32c419dde")
+         *
+         * OpenSSH 7.2 was the first release supporting RSA/SHA-2
+         * at all, so this bug is irrelevant to anything before that.
+         */
+        s->remote_bugs |= BUG_RSA_SHA2_CERT_USERAUTH;
+        bpp_logevent("We believe remote version has SSH-2 "
+                     "RSA/SHA-2/certificate userauth bug");
+    }
 }
 
 const char *ssh_verstring_get_remote(BinaryPacketProtocol *bpp)