[Bug 3228] New: A client with an ssh agent can login with a revoked certificate

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Nov 3 22:38:31 AEDT 2020 

https://bugzilla.mindrot.org/show_bug.cgi?id=3228

            Bug ID: 3228
           Summary: A client with an ssh agent can login with a revoked
                    certificate
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sebelk at gmail.com

A client with a ssh agent can login with a revoked certificate.

Steps:

1. On ssh server (CentOS 8) revoke a client certificate 
ssh-keygen -k -f  /etc/ssh/keys/krl.list -z1  sergio_id_rsa-cert.pub

2. Verify that client is revoked

 ssh-keygen -v -Q -f /etc/ssh/keys/krl.list
/etc/ssh/keys/sergio_id_rsa-cert.pub
debug1: KRL version 1 generated at 20201103T104547
/etc/ssh/keys/sergio_id_rsa-cert.pub (sergio at dublin.ireland.home):
REVOKED

2. On a ssh client check that ssh-agent is running

pgrep -a ssh-agent
4487 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c
"/usr/bin/startplasma-x11"

3. From that ssh client try to connect to ssh server with the revoked
certificate:

ssh  -i .ssh/sergio_lxc-cert.pub root at 10.0.3.111 
Last login: Tue Nov  3 11:11:29 2020 from 10.0.3.1
[root at centos8-neovim ~]# 

What one can expect is that ssh server reject the attempt but it does
not:

log file has:

... Accepted publickey for root from 10.0.3.1 port 48524...

Only after deleting identity from the agent on ssh client side the ssh
server rejects the agent:


ssh-add -d /home/sergio/.ssh/id_rsa_SA
Identity removed: /home/sergio/.ssh/id_rsa_SA 


error: Authentication key ... revoked by file /etc/ssh/keys/krl.list


So, one depends of the good will of the client side of removing the
identity of agent.

(the client used in this testing is openssh-8.3p1 on Fedora 32

Note: I've found that adding the certificate as plain text on
RevokedKey file prevent the login immediately, but one can depend on
having the complete original certificate on hand.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list