ssh-agent and ssh2 servers...

Markus Friedl Markus.Friedl at informatik.uni-erlangen.de
Tue Sep 19 20:56:57 EST 2000 

On Mon, Sep 18, 2000 at 05:38:04PM -0400, Michael Alan Dorman wrote:
> I am running openssh 2.2.0p1 on Debian GNU/Linux.  I was pleased to
> see that 2.2.0p1 had support for DSA keys in the agent, and I have
> successfully used the v2 protocol to another openssh server with the
> agent providing authentication.

nice.

> I am also able to successfully connect to an ssh.com-2.1.0 server
> using DSA authentication, but the ssh-agent doesn't seem to provide
> authentication in this instance.

the agent currenly works only against ssh.com-2.2.0 and 2.3.0, bug
compatibility for 2.1.0 and 2.0.13 will come soon, see patch below.

> It is not clear to me if this comment is intended to mean that openssh
> can't talk to the ssh-agent from ssh2 (which wouldn't surprise me a
> bit),

yes this true.

> or if it should really read "(note that we cannot talk to
> ssh.com's ssh2 servers)"

nope. see above.

> My question may be a result of me misunderstanding how the agent
> works, but at first glance it would seem that if ssh-agent is able to
> handle authenticating to another openssh server using the v2 protocol,
> then it ought to work with an ssh.com server using the v2 protocol.
> 
> Could someone clarify whether this is a issue with the openssh agent,

yes and no.

> or perhaps a bug in what _is_ an older version of ssh.com's ssh?

yes!

> And
> if it's an issue with the openssh agent, is there any possibility of
> it being resolved,

yes.

> or does ssh.com's server use some sort of
> proprietary protocol that makes interoperability impossible?

nope. it's just a bug.

> I appreciate any information anyone can provide.

you could try this patch, perhaps you need to hand-edit the
results.

Index: authfd.c
===================================================================
RCS file: /home/markus/cvs/ssh/authfd.c,v
retrieving revision 1.27
diff -u -r1.27 authfd.c
--- authfd.c	2000/09/07 20:27:49	1.27
+++ authfd.c	2000/09/17 13:31:35
@@ -51,6 +51,7 @@
 #include "authfd.h"
 #include "kex.h"
 #include "dsa.h"
+#include "compat.h"
 
 /* helper */
 int	decode_reply(int type);
@@ -360,20 +361,24 @@
     unsigned char **sigp, int *lenp,
     unsigned char *data, int datalen)
 {
+	extern int datafellows;
 	Buffer msg;
 	unsigned char *blob;
 	unsigned int blen;
-	int type;
+	int type, flags = 0;
 	int ret = -1;
 
 	if (dsa_make_key_blob(key, &blob, &blen) == 0)
 		return -1;
 
+	if (datafellows & SSH_BUG_SIGBLOB)
+		flags = SSH_AGENT_OLD_SIGNATURE;
+
 	buffer_init(&msg);
 	buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST);
 	buffer_put_string(&msg, blob, blen);
 	buffer_put_string(&msg, data, datalen);
-	buffer_put_int(&msg, 0);				/* flags, unused */
+	buffer_put_int(&msg, flags);
 	xfree(blob);
 
 	if (ssh_request_reply(auth, &msg, &msg) == 0) {
Index: authfd.h
===================================================================
RCS file: /home/markus/cvs/ssh/authfd.h,v
retrieving revision 1.11
diff -u -r1.11 authfd.h
--- authfd.h	2000/09/07 20:27:49	1.11
+++ authfd.h	2000/09/17 13:31:35
@@ -37,6 +37,9 @@
 #define SSH2_AGENTC_REMOVE_IDENTITY		18
 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES	19
 
+#define	SSH_AGENT_OLD_SIGNATURE			0x01
+
+
 typedef struct {
 	int     fd;
 	Buffer  identities;
Index: ssh-agent.c
===================================================================
RCS file: /home/markus/cvs/ssh/ssh-agent.c,v
retrieving revision 1.35
diff -u -r1.35 ssh-agent.c
--- ssh-agent.c	2000/09/07 20:27:54	1.35
+++ ssh-agent.c	2000/09/17 13:31:36
@@ -56,6 +56,7 @@
 #include "authfd.h"
 #include "dsa.h"
 #include "kex.h"
+#include "compat.h"
 
 typedef struct {
 	int fd;
@@ -233,6 +234,7 @@
 	Key *key, *private;
 	unsigned char *blob, *data, *signature = NULL;
 	unsigned int blen, dlen, slen = 0;
+	int flags;
 	Buffer msg;
 	int ok = -1;
 
@@ -240,7 +242,10 @@
 	
 	blob = buffer_get_string(&e->input, &blen);
 	data = buffer_get_string(&e->input, &dlen);
-	buffer_get_int(&e->input);			/* flags, unused */
+
+	flags = buffer_get_int(&e->input);
+	if (flags & SSH_AGENT_OLD_SIGNATURE)
+		datafellows = SSH_BUG_SIGBLOB;
 
 	key = dsa_key_from_blob(blob, blen);
 	if (key != NULL) {

More information about the openssh-unix-dev mailing list