[Bug 2550] New: ssh can't use an in-memory-only certificate

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Mar 11 10:12:07 AEDT 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2550

            Bug ID: 2550
           Summary: ssh can't use an in-memory-only certificate
           Product: Portable OpenSSH
           Version: 7.2p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mindrot at hda3.com

I have an ssh certificate authority setup where a user can ssh to it
(forwarding their agent) and when they authenticate, the CA generates a
new ssh cert and adds it directly to their ssh-agent. the cert then
shows up on their agent like so

$ ssh-add -l
2048 85:0d:c1:cc:50:6b:24:93:74:33:61:88:00:ab:88:dd [Valid until Fri
11 Mar 2016 18:10 UTC, Version 2] (RSA-CERT)

the cert has the appropriate private key embedded in it, but the
private key isn't added separately.

prior to commit 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8, just having
the cert on the user's agent process worked as expected. After that
commit, the user needs both the private and the cert (also with the
private key) loaded together to work.

if I try to use just the cert after this commit, I see:

debug1: Server accepts key: pkalg ssh-rsa-cert-v01 at openssh.com blen
2769
debug2: input_userauth_pk_ok: fp
SHA256:XiFOO+XzZ0m/aWzkQLgxVFI2HJV3abWpNyuIhcEYKuc
debug3: sign_and_send_pubkey: RSA-CERT
SHA256:XiFOO+XzZ0m/aWzkQLgxVFI2HJV3abWpNyuIhcEYKuc
debug1: sign_and_send_pubkey: no private key for certificate "[Valid
until Fri 11 Mar 2016 18:10 UTC, Version 2]"

if I modify the ca to add both the cert (with private key) and the
private key, so my agent looks like this:

$ ./ssh-add -l
2048 SHA256:nZkpX+sy5o/9r7H5JSilHN6YmQMAipZphtZHgVNA3Gs [Valid until
Fri 11 Mar 2016 19:08 UTC, Version 2] (RSA)
2048 SHA256:nZkpX+sy5o/9r7H5JSilHN6YmQMAipZphtZHgVNA3Gs [Valid until
Fri 11 Mar 2016 19:08 UTC, Version 2] (RSA-CERT)

and now I can use those creds to ssh

debug1: Server accepts key: pkalg ssh-rsa-cert-v01 at openssh.com blen
2769
debug2: input_userauth_pk_ok: fp
SHA256:nZkpX+sy5o/9r7H5JSilHN6YmQMAipZphtZHgVNA3Gs
debug3: sign_and_send_pubkey: RSA-CERT
SHA256:nZkpX+sy5o/9r7H5JSilHN6YmQMAipZphtZHgVNA3Gs
debug2: sign_and_send_pubkey: using private key "[Valid until Fri 11
Mar 2016 19:08 UTC, Version 2]" from agent for certificate


My c-chops have grown dull in the last 10 months, but I can work up a
patch for this. It seems like, unless there's some particular reason
not to do this, the 

 if (key_is_cert(id->key)) {
   ...
 }

could also check the private key on the cert .. ? I'm not sure how that
works with a remote ssh client accessing a forwarded agent.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list