corrupt client keys question
Dan Kaminsky
dan at doxpara.com
Fri Nov 14 16:45:40 EST 2003
Been investigating this. Preliminary evidence -- yup, keys can be
corrupted pretty heavily, and still result in a successful login.
Attached is a set of example keys, bounced around quite heavily. It
appears certain bytes flat out do not affect the calculation, i.e. no
matter what I put in there, the key still works.
I'm actually not worried, yet -- my suspicion is that OpenSSL throws
some extra bits into its saved keys, and that's what I'm corrupting.
Still, this ain't encouraging:
$ openssl.exe rsa -check -in id_rsa
3884:error:0407B080:rsa routines:RSA_check_key:p not prime:rsa_chk.c:84:
3884:error:0407B081:rsa routines:RSA_check_key:q not prime:rsa_chk.c:94:
3884:error:0407B07F:rsa routines:RSA_check_key:n does not equal p
q:rsa_chk.c:104:
3884:error:0407B07B:rsa routines:RSA_check_key:d e not congruent to
1:rsa_chk.c:128:
3884:error:0407B07C:rsa routines:RSA_check_key:dmp1 not congruent to
d:rsa_chk.c:144:
3884:error:0407B07D:rsa routines:RSA_check_key:dmq1 not congruent to
d:rsa_chk.c:158:
3884:error:0306E06C:bignum routines:BN_mod_inverse:no inverse:bn_gcd.c:482:
Pete Flugstad wrote:
> Jim Knoble wrote:
>
>> You sure you're not running ssh-agent with the (uncorrupted) key added
>> to it?
>
>
> yes, no SSH-agent running.
>
>> Can you reproduce this behavior on a -t rsa key that has a passphrase?
>
>
> Seems I can, which really scares me. Here are the files I'm working
> with. rsa-pass is freshly generated with "ssh-keygen -t rsa" and I
> used a passphrase (not a good one, but I used one):
>
>> [pete at taz tmp]$ ll
>> total 16
>> -rw------- 1 pete pete 963 Nov 13 17:50 rsa-pass
>> -rw------- 1 pete pete 963 Nov 13 17:52 rsa-pass-corrupt
>> -rw------- 1 pete pete 218 Nov 13 17:51
>> rsa-pass-corrupt.pub
>> -rw------- 1 pete pete 218 Nov 13 17:50 rsa-pass.pub
>> [pete at taz tmp]$ cat rsa-pass
>> -----BEGIN RSA PRIVATE KEY-----
>> Proc-Type: 4,ENCRYPTED
>> DEK-Info: DES-EDE3-CBC,210DCA300E488E36
>>
>> r/oN1b4kfcCNX/8PtIe8yK6KdNXguSBX5W4OdbBhBaMKekhazj0QDLPdknwZyPUk
>> RN3oYZt+dL/HmioK+djoIKL0ZjloiJshNnzVNL8edTLQrIgeptNRausEakjq8gyn
>> P5WwMQqocdmq3c/ANcJEesi+rhrtiAm7MfHO5hKoBUhT17guhIY1DC2CzWbFa+hl
>> m1cM2+mmemqGMFkW8kZWqf9GPCzGyVWk6qbIWPLq2LplvJuGIrZiBY839juuN2/0
>> g4FEUvgWmjW2+kOvsrr2rGY7okCDV7BF6Du0xURqVpW34Y+iP+yl7QSfZsRSAP1R
>> 7sMIvYx6gZaqfba0C3FDTNI+f4Zl126OpZBSdRY2Mn1/VW7FDN5GCH/L7xdVhlYr
>> DXJILsdArI03SPIVyMbQcSjepLtHywvSMY8Iw4vm5St1S9Zmr2MUeICgui9TZ3RQ
>> ji2+q3fM2WETGNm+PWP5eW96Sxd0AAz9AO55l8SGbXnMwMgtIj3+nrIquK3eatsu
>> xetIognL/tQJG4nO1umM4cs6IM8XdaeyZeUQayGq55mqOIhj0nASD4sWTRlVZPIx
>> K2Lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx
>> DzV9itbV9Ic1h6u7QnAHjk4OhnbQk83C3l6Ww+3/IfoGeCngL4DFA2/W2ABPLJcJ
>> 6EYdvAO5LqAvATA2WjaXexTIIQiRqtIoj3XOVsJ8cnyID8DY+bHRKIGOsRQc7TMf
>> o13PSOo5fl4fPaeqwPVJD+9KkWPyWQ+wDWb2gfEgiNSKqmcxlhXpRA==
>> -----END RSA PRIVATE KEY-----
>
>
> I copied rsa-pass to rsa-pass-corrupt, then edited it, changing a
> few characters from upper to lower case:
>
>> [pete at taz tmp]$ diff rsa-pass rsa-pass-corrupt
>> 14c14
>> < K2Lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx
>> ---
>>
>>> k2lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx
>>
>
> I can verify that the rsa key is OK and rsa-pass-corrupt key is bogus:
>
> > [pete at taz tmp]$ openssl rsa -check -in rsa-pass
> > Enter pass phrase for rsa-pass:
> > RSA key ok
> > writing RSA key
> > -----BEGIN RSA PRIVATE KEY-----
> > MIICXAIBAAKBgQC07DC7+w+8xMkmRF4O+f4NF0kKJlzKtd2Q86Cw/SXeq63TZwjD
> > FwyHyxje3713ccb2D9y7GRMFfNHQWvuYRDvp6gZiT3Z1nuNX7bsZ7yWY3FwFql37
> > nC6H28dReon7ipWKXWGQITl8lwUos3zkLTztmaF8q+Plvsdm3AMwXyRuGQIBIwKB
> > gQCqlY0JAqhwJ0FP91Fek++Ir44CQW1uq3kiRMq1gPfR8lNvjQhC6didSnaI/tc2
> > GtGI6mJnQ4b2i6FAys/19zEraUXyHwQYmnfgaNZ2am/Ru8BVl5qzBJYqf8amEukP
> > Avl1WwtQt0+u7OKzN0quzDyii7takYsp0pMkMU290vHaewJBAO5fypNUZaawK221
> > y3naumNrjvrcLlPewNu6E4Q0ZJLpUYOpdxkQ/wXHcLw/ANnk0OUYk9z1AAhhr7A6
> > ESHXIV0CQQDCTOSD9u4eER91rXuISKLv3qeK1fgkarEytqzahTG2dRl5KDfJnazE
> > i1b6qNxbsvQv2Xk8U4rPTYkHAk4nRQftAkAUbpxVxWfMdYAQt8+cuvoIhY/pndgV
> > 0UO7D/MLVPKtgbaHoM+xsP/qjXAQIqhNMN60jRP8/w6hofkdu9WVL7JnAkEAhTwK
> > aR5aIz7xADxx9w08hzmXdSUB7RX12aHVnSgiFrayYbUtkZCw+81C9QYTchRPq8hT
> > Ig1mf4Wfykq5P3/K6wJBAK74oVXD+oYXPBWdqNQpq7EuOGW+jmnOM1aS312pJZ+h
> > 0LmZkA0djBpSEjwHjcOVEBHVRXz5VgOEOb2EfvMulTw=
> > -----END RSA PRIVATE KEY-----
> > [pete at taz tmp]$ openssl rsa -check -in rsa-pass-corrupt
> > Enter pass phrase for rsa-pass-corrupt:
> > RSA key error: dmp1 not congruent to d
> > writing RSA key
> > -----BEGIN RSA PRIVATE KEY-----
> > MIICXAIBAAKBgQC07DC7+w+8xMkmRF4O+f4NF0kKJlzKtd2Q86Cw/SXeq63TZwjD
> > FwyHyxje3713ccb2D9y7GRMFfNHQWvuYRDvp6gZiT3Z1nuNX7bsZ7yWY3FwFql37
> > nC6H28dReon7ipWKXWGQITl8lwUos3zkLTztmaF8q+Plvsdm3AMwXyRuGQIBIwKB
> > gQCqlY0JAqhwJ0FP91Fek++Ir44CQW1uq3kiRMq1gPfR8lNvjQhC6didSnaI/tc2
> > GtGI6mJnQ4b2i6FAys/19zEraUXyHwQYmnfgaNZ2am/Ru8BVl5qzBJYqf8amEukP
> > Avl1WwtQt0+u7OKzN0quzDyii7takYsp0pMkMU290vHaewJBAO5fypNUZaawK221
> > y3naumNrjvrcLlPewNu6E4Q0ZJLpUYOpdxkQ/wXHcLw/ANnk0OUYk9z1AAhhr7A6
> > ESHXIV0CQQDCTOSD9u4eER91rXuISKLv3qeK1fgkarEytqzahTG2dRl5KDfJnazE
> > i1b6qNxbsvQv2Xk8U4rPTYkHAk4nRQftAkAUbpxVxWfMdYAQt8+cuvoIhY/pndgV
> > XP7Sv4nQO2kVijaHoM+xsP/qjXAQIqhNMN60jRP8/w6hofkdu9WVL7JnAkEAhTwK
> > aR5aIz7xADxx9w08hzmXdSUB7RX12aHVnSgiFrayYbUtkZCw+81C9QYTchRPq8hT
> > Ig1mf4Wfykq5P3/K6wJBAK74oVXD+oYXPBWdqNQpq7EuOGW+jmnOM1aS312pJZ+h
> > 0LmZkA0djBpSEjwHjcOVEBHVRXz5VgOEOb2EfvMulTw=
> > -----END RSA PRIVATE KEY-----
>
> I added rsa-pass.pub to my ~/.ssh/authorized_keys and then tried to
> log in with rsa-pass:
>
>> [pete at taz tmp]$ ssh -v localhost -i rsa-pass
>> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9, SSH protocols 1.5/2.0, OpenSSL
>> 0x0090703f
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Rhosts Authentication disabled, originating port will not be
>> trusted.
>> debug1: Connecting to localhost [127.0.0.1] port 22.
>> debug1: Connection established.
>> debug1: identity file rsa-pass type 1
>> debug1: Remote protocol version 1.99, remote software version
>> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9
>> debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-cbc hmac-md5 none
>> debug1: kex: client->server aes128-cbc hmac-md5 none
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>> debug1: Host 'localhost' is known and matches the RSA host key.
>> debug1: Found key in /home/pete/.ssh/known_hosts:21
>> debug1: ssh_rsa_verify: signature correct
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug1: Authentications that can continue:
>> publickey,password,keyboard-interactive
>> debug1: Next authentication method: publickey
>> debug1: Offering public key: rsa-pass
>> debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x80888a0
>> hint 0
>> debug1: PEM_read_PrivateKey failed
>> debug1: read PEM private key done: type <unknown>
>> Enter passphrase for key 'rsa-pass':
>> debug1: read PEM private key done: type RSA
>> debug1: Authentication succeeded (publickey).
>> debug1: channel 0: new [client-session]
>> debug1: Entering interactive session.
>> debug1: channel 0: request pty-req
>> debug1: channel 0: request shell
>> debug1: channel 0: open confirm rwindow 0 rmax 32768
>> Linux taz 2.6.0-test9 #2 SMP Mon Oct 27 17:02:15 CST 2003 i686 GNU/Linux
>> No mail.
>> Last login: Thu Nov 13 17:56:20 2003 from taz
>> [pete at taz pete]$ <Ctrl-D>
>> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
>> debug1: channel 0: rcvd eof
>> debug1: channel 0: output open -> drain
>> debug1: channel 0: obuf empty
>> debug1: channel 0: close_write
>> debug1: channel 0: output drain -> closed
>> debug1: channel 0: rcvd close
>> debug1: channel 0: close_read
>> debug1: channel 0: input open -> closed
>> debug1: channel 0: almost dead
>> debug1: channel 0: gc: notify user
>> debug1: channel 0: gc: user detached
>> debug1: channel 0: send close
>> debug1: channel 0: is dead
>> debug1: channel 0: garbage collecting
>> debug1: channel_free: channel 0: client-session, nchannels 1
>> Connection to localhost closed.
>> debug1: Transferred: stdin 0, stdout 0, stderr 33 bytes in 15.5 seconds
>> debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 2.1
>> debug1: Exit status 0
>> [pete at taz tmp]$
>
>
> Now with the corrupt key:
>
>> [pete at taz tmp]$ ssh -v localhost -i rsa-pass-corrupt
>> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9, SSH protocols 1.5/2.0, OpenSSL
>> 0x0090703f
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Rhosts Authentication disabled, originating port will not be
>> trusted.
>> debug1: Connecting to localhost [127.0.0.1] port 22.
>> debug1: Connection established.
>> debug1: identity file rsa-pass-corrupt type 1
>> debug1: Remote protocol version 1.99, remote software version
>> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9
>> debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-cbc hmac-md5 none
>> debug1: kex: client->server aes128-cbc hmac-md5 none
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>> debug1: Host 'localhost' is known and matches the RSA host key.
>> debug1: Found key in /home/pete/.ssh/known_hosts:21
>> debug1: ssh_rsa_verify: signature correct
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug1: Authentications that can continue:
>> publickey,password,keyboard-interactive
>> debug1: Next authentication method: publickey
>> debug1: Offering public key: rsa-pass-corrupt
>> debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x80888e0
>> hint 0
>> debug1: PEM_read_PrivateKey failed
>> debug1: read PEM private key done: type <unknown>
>> Enter passphrase for key 'rsa-pass-corrupt':
>> debug1: read PEM private key done: type RSA
>> debug1: Authentication succeeded (publickey).
>> debug1: channel 0: new [client-session]
>> debug1: Entering interactive session.
>> debug1: channel 0: request pty-req
>> debug1: channel 0: request shell
>> debug1: channel 0: open confirm rwindow 0 rmax 32768
>> Linux taz 2.6.0-test9 #2 SMP Mon Oct 27 17:02:15 CST 2003 i686 GNU/Linux
>> No mail.
>> Last login: Thu Nov 13 17:56:35 2003 from taz
>> [pete at taz pete]$ <Ctrl-D >
>> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
>> debug1: channel 0: rcvd eof
>> debug1: channel 0: output open -> drain
>> debug1: channel 0: obuf empty
>> debug1: channel 0: close_write
>> debug1: channel 0: output drain -> closed
>> debug1: channel 0: rcvd close
>> debug1: channel 0: close_read
>> debug1: channel 0: input open -> closed
>> debug1: channel 0: almost dead
>> debug1: channel 0: gc: notify user
>> debug1: channel 0: gc: user detached
>> debug1: channel 0: send close
>> debug1: channel 0: is dead
>> debug1: channel 0: garbage collecting
>> debug1: channel_free: channel 0: client-session, nchannels 1
>> Connection to localhost closed.
>> debug1: Transferred: stdin 0, stdout 0, stderr 33 bytes in 51.3 seconds
>> debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.6
>> debug1: Exit status 0
>> [pete at taz tmp]$
>
>
> I reinstalled SSHD from the Debian archives to make sure I'm not
> running some kind of bogus SSH server and it still works. I'd be
> surprised if this had happened as I tend to be pretty careful and
> pretty aware of what's going on with this box. And, I've reproduced
> this behavior on our SSH port to vxWorks (which is where it came up in
> the first place).
>
> I can corrupt the key to the point where the ASN1 parse fails:
>
>> [pete at taz tmp]$ diff rsa-pass rsa-pass-corrupt2
>> 10c10
>> < 7sMIvYx6gZaqfba0C3FDTNI+f4Zl126OpZBSdRY2Mn1/VW7FDN5GCH/L7xdVhlYr
>> ---
>>
>>> 7smivyx6gzaqfba0c3fdtni+f4zl126opzbsdry2mn1/vw7fdn5gch/L7xdVhlYr
>>
>> 13,14c13,14
>> < xetIognL/tQJG4nO1umM4cs6IM8XdaeyZeUQayGq55mqOIhj0nASD4sWTRlVZPIx
>> < K2Lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx
>> ---
>>
>>> xetIognL/tQJG4nO1umM4cs6IM8Xdaeyzeuqaygq55mqoihj0nasd4swtrlvzpix
>>> k2lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx
>>
>
> Then of course it doesn't work (as expected):
>
>> [pete at taz tmp]$ openssl rsa -check -in rsa-pass-corrupt2
>> Enter pass phrase for rsa-pass-corrupt2:
>> unable to load Private Key
>> 29272:error:0D07207B:asn1 encoding routines:ASN1_get_object:header
>> too long:asn1_lib.c:140:
>> 29272:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad
>> object header:tasn_dec.c:935:
>> 29272:error:0D06C03A:asn1 encoding
>> routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:628:
>> 29272:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested
>> asn1 error:tasn_dec.c:566:Field=p, Type=RSA
>> 29272:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
>> lib:d2i_pr.c:96:
>> 29272:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
>> lib:pem_pkey.c:117:
>
>
>> [pete at taz tmp]$ ssh -v localhost -i rsa-pass-corrupt2
>> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9, SSH protocols 1.5/2.0, OpenSSL
>> 0x0090703f
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Rhosts Authentication disabled, originating port will not be
>> trusted.
>> debug1: Connecting to localhost [127.0.0.1] port 22.
>> debug1: Connection established.
>> debug1: identity file rsa-pass-corrupt2 type -1
>> debug1: Remote protocol version 1.99, remote software version
>> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9
>> debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-cbc hmac-md5 none
>> debug1: kex: client->server aes128-cbc hmac-md5 none
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>> debug1: Host 'localhost' is known and matches the RSA host key.
>> debug1: Found key in /home/pete/.ssh/known_hosts:21
>> debug1: ssh_rsa_verify: signature correct
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug1: Authentications that can continue:
>> publickey,password,keyboard-interactive
>> debug1: Next authentication method: publickey
>> debug1: Trying private key: rsa-pass-corrupt2
>> debug1: PEM_read_PrivateKey failed
>> debug1: read PEM private key done: type <unknown>
>> Enter passphrase for key 'rsa-pass-corrupt2':
>> debug1: PEM_read_PrivateKey failed
>
> > <Ctrl-C>
>
> This is mighty strange. I'm still wondering if I've been rooted...
> If so, it's exceedingly well done.
>
> Pete
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: id_rsa_good
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031114/bb859f95/attachment.ksh
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: id_rsa
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031114/bb859f95/attachment-0001.ksh
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: id_rsa.pub
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031114/bb859f95/attachment-0002.ksh
More information about the openssh-unix-dev
mailing list