[Bug 2944] New: ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01 at openssh.com and rsa-sha2-256-cert-v01 at openssh.com
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Dec 18 22:56:59 AEDT 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2944
Bug ID: 2944
Summary: ssh-agent returns incorrect signature type for
rsa-sha2-512-cert-v01 at openssh.com and
rsa-sha2-256-cert-v01 at openssh.com
Product: Portable OpenSSH
Version: 7.9p1
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: daa at open.ch
Created attachment 3216
--> https://bugzilla.mindrot.org/attachment.cgi?id=3216&action=edit
Patch for authfd.c to consider rsa-sha2-*cert algorithm types to
properly request the signature at the agent
After upgrading to 7.9p1 we encountered the following warnings during
ssh client usage:
agent key RSA-CERT SHA256:IC6hv9VA5eBGO2oW0vRB8zkOvl954JwZ5KHU2lnaHW4
returned incorrect signature type
The detailed output shows the following:
debug1: Server accepts key: /home/daa/.ssh/id_rsa RSA-CERT
SHA256:lSQIkaEaSCKJLOi5eV0Z+7fR8W/Z1nm1+DHAupcdk5M explicit agent
debug3: sign_and_send_pubkey: RSA-CERT
SHA256:lSQIkaEaSCKJLOi5eV0Z+7fR8W/Z1nm1+DHAupcdk5M
debug2: sign_and_send_pubkey: using private key "/home/daa/.ssh/id_rsa"
from agent for certificate
debug3: sign_and_send_pubkey: signing using
rsa-sha2-512-cert-v01 at openssh.com
agent key RSA-CERT SHA256:lSQIkaEaSCKJLOi5eV0Z+7fR8W/Z1nm1+DHAupcdk5M
returned incorrect signature type
debug3: sign_and_send_pubkey: signing using
ssh-rsa-cert-v01 at openssh.com
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Openssh 7.8p1 was only using ssh-rsa-cert-v01 at openssh.com when using
RSA-CERT.
A quick look at the authfd.c file, leads me to the conclusion that the
agent_encode_alg does not properly consider RSA-CERT in the signature
algorithm encoding, so that not a rsa-sha2-* signature is requested at
the ssh-agent.
I've attached a patch fixing this obvious error, please feel free to
adjust the patch if required.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list