ssh-agent and ssh2 servers...
Markus Friedl
Markus.Friedl at informatik.uni-erlangen.de
Tue Sep 19 20:56:57 EST 2000
On Mon, Sep 18, 2000 at 05:38:04PM -0400, Michael Alan Dorman wrote:
> I am running openssh 2.2.0p1 on Debian GNU/Linux. I was pleased to
> see that 2.2.0p1 had support for DSA keys in the agent, and I have
> successfully used the v2 protocol to another openssh server with the
> agent providing authentication.
nice.
> I am also able to successfully connect to an ssh.com-2.1.0 server
> using DSA authentication, but the ssh-agent doesn't seem to provide
> authentication in this instance.
the agent currenly works only against ssh.com-2.2.0 and 2.3.0, bug
compatibility for 2.1.0 and 2.0.13 will come soon, see patch below.
> It is not clear to me if this comment is intended to mean that openssh
> can't talk to the ssh-agent from ssh2 (which wouldn't surprise me a
> bit),
yes this true.
> or if it should really read "(note that we cannot talk to
> ssh.com's ssh2 servers)"
nope. see above.
> My question may be a result of me misunderstanding how the agent
> works, but at first glance it would seem that if ssh-agent is able to
> handle authenticating to another openssh server using the v2 protocol,
> then it ought to work with an ssh.com server using the v2 protocol.
>
> Could someone clarify whether this is a issue with the openssh agent,
yes and no.
> or perhaps a bug in what _is_ an older version of ssh.com's ssh?
yes!
> And
> if it's an issue with the openssh agent, is there any possibility of
> it being resolved,
yes.
> or does ssh.com's server use some sort of
> proprietary protocol that makes interoperability impossible?
nope. it's just a bug.
> I appreciate any information anyone can provide.
you could try this patch, perhaps you need to hand-edit the
results.
Index: authfd.c
===================================================================
RCS file: /home/markus/cvs/ssh/authfd.c,v
retrieving revision 1.27
diff -u -r1.27 authfd.c
--- authfd.c 2000/09/07 20:27:49 1.27
+++ authfd.c 2000/09/17 13:31:35
@@ -51,6 +51,7 @@
#include "authfd.h"
#include "kex.h"
#include "dsa.h"
+#include "compat.h"
/* helper */
int decode_reply(int type);
@@ -360,20 +361,24 @@
unsigned char **sigp, int *lenp,
unsigned char *data, int datalen)
{
+ extern int datafellows;
Buffer msg;
unsigned char *blob;
unsigned int blen;
- int type;
+ int type, flags = 0;
int ret = -1;
if (dsa_make_key_blob(key, &blob, &blen) == 0)
return -1;
+ if (datafellows & SSH_BUG_SIGBLOB)
+ flags = SSH_AGENT_OLD_SIGNATURE;
+
buffer_init(&msg);
buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST);
buffer_put_string(&msg, blob, blen);
buffer_put_string(&msg, data, datalen);
- buffer_put_int(&msg, 0); /* flags, unused */
+ buffer_put_int(&msg, flags);
xfree(blob);
if (ssh_request_reply(auth, &msg, &msg) == 0) {
Index: authfd.h
===================================================================
RCS file: /home/markus/cvs/ssh/authfd.h,v
retrieving revision 1.11
diff -u -r1.11 authfd.h
--- authfd.h 2000/09/07 20:27:49 1.11
+++ authfd.h 2000/09/17 13:31:35
@@ -37,6 +37,9 @@
#define SSH2_AGENTC_REMOVE_IDENTITY 18
#define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19
+#define SSH_AGENT_OLD_SIGNATURE 0x01
+
+
typedef struct {
int fd;
Buffer identities;
Index: ssh-agent.c
===================================================================
RCS file: /home/markus/cvs/ssh/ssh-agent.c,v
retrieving revision 1.35
diff -u -r1.35 ssh-agent.c
--- ssh-agent.c 2000/09/07 20:27:54 1.35
+++ ssh-agent.c 2000/09/17 13:31:36
@@ -56,6 +56,7 @@
#include "authfd.h"
#include "dsa.h"
#include "kex.h"
+#include "compat.h"
typedef struct {
int fd;
@@ -233,6 +234,7 @@
Key *key, *private;
unsigned char *blob, *data, *signature = NULL;
unsigned int blen, dlen, slen = 0;
+ int flags;
Buffer msg;
int ok = -1;
@@ -240,7 +242,10 @@
blob = buffer_get_string(&e->input, &blen);
data = buffer_get_string(&e->input, &dlen);
- buffer_get_int(&e->input); /* flags, unused */
+
+ flags = buffer_get_int(&e->input);
+ if (flags & SSH_AGENT_OLD_SIGNATURE)
+ datafellows = SSH_BUG_SIGBLOB;
key = dsa_key_from_blob(blob, blen);
if (key != NULL) {
More information about the openssh-unix-dev
mailing list