[Bug 3752] New: ssh agent with host constraints fails creating a signature

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Nov 19 18:23:01 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3752

            Bug ID: 3752
           Summary: ssh agent with host constraints fails creating a
                    signature
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: t.cools at televic.com

Created attachment 3842
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3842&action=edit
It's a patch file; when applied , I can connect using ssh certificates
and host constraints.

Hi,

I've tried using SSH certificates with host constraints in the agent,
however I get the following error:

in ssh:
```
debug1: Server accepts key: thibault at emil ED25519-CERT
SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00 at openssh.com
with ED25519-CERT SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ
debug2: sign_and_send_pubkey: using private key "thibault at emil" from
agent for certificate
debug3: sign_and_send_pubkey: signing using
ssh-ed25519-cert-v01 at openssh.com
SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ
sign_and_send_pubkey: signing failed for ED25519 "thibault at emil" from
agent: agent refused operation
```

in ssh-agent:
```
process_sign_request2: refusing use of destination-constrained key to
sign an unidentified signature
```

There seems to be a mismatch in the keys used for signing. When host
constraints are used, the userauth request is parsed and the key that
should do the signing does not seem to match the key that is referenced
in the message. (see:
https://github.com/openssh/openssh-portable/blob/V_9_9_P1/ssh-agent.c#L876)

I have a patch, but it's applicable on the ssh client instead of the
agent, because it seems to work. See attachments.

If you want to reproduce:
1. Create an agent
2. Have a server that accepts SSH certificates
3. Sign a certificate and add it to the agent with a host constraint
4. Try SSH connection with the server

I am not experienced with the code base and the patch might not be
correct, I thought perhaps it could be useful. If I can help, let me
know.

Kind regards,
Thibault

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list