[Bug 3016] New: (still) not generating correct RSA SHA2 signatures from certificate files loaded in ssh-agent
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed May 29 23:55:21 AEST 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=3016
Bug ID: 3016
Summary: (still) not generating correct RSA SHA2 signatures
from certificate files loaded in ssh-agent
Product: Portable OpenSSH
Version: 8.0p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 3288
--> https://bugzilla.mindrot.org/attachment.cgi?id=3288&action=edit
use correct algorithm identification in ssh-agent
If I read the certkeys specification [1] and the source code correctly,
the ssh-agent does not generate correct signatures when the certificate
is loaded in agent.
The agent_decode_alg() function [2] looks only on the actual key type
and for certificate key types, does not generate correct alg argument
for the sshkey_sign() function (ending with raw ssh-rsa signature).
This is not the same what happens in sshconnect2.c in
key_sig_algorithm() [3], where also the certificate types are taken
into the account and the alg argument to sshkey_sign() is properly
formatted.
I do not have separate reproducer inside of OpenSSH since I was using
OpenSSH agent, libssh client and openSSH server, which failed to verify
these signatures (when the base rsa-ssh algorithms were disabled).
The attached patch resolved the issue for me in the above setup. I am
not sure whether there is some more elegant way how to achieve the
same.
[1]
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys#L41
[2]
https://github.com/openssh/openssh-portable/blob/master/ssh-agent.c#L265
[3]
https://github.com/openssh/openssh-portable/blob/master/sshconnect2.c#L1102
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list