RSA Signatures using SHA2 provided by different ssh-agent are not properly verified

Damien Miller djm at mindrot.org
Fri Nov 10 11:11:55 AEDT 2017


could you please file a bug for this, I'll take a look.

On Thu, 9 Nov 2017, Jakub Jelen wrote:

> Hello,
> as a follow-up on my mail some time last month where we were facing
> weird issues when authenticating to new OpenSSH servers, I went down
> the road to investigate what is really going on there and I found out
> that even though all the logs in client and server happily say that the
>  SHA2 extension is used, under the hood there is just SHA1. This is
> because the different agents are ignoring the flags passed with the
> signature request. This can be simply reproduced with the following
> patch, which dumps the actual hash algorithm used in the signature
> itself:
> 
> https://gist.github.com/Jakuje/b1f7161d89472c4b6a3e2024675b0b46
> 
> The issue can be simply reproduced by running ssh-agent from gnome-
> keyring (pageant or others should do the same) and connect to the
> server with the above patch. In the server log, we can notice the
> following messages (where hash_alg=1 is SSH_DIGEST_SHA1):
> 
> debug1: Verifying signature with ktype=ssh-rsa and hash_alg=1
> debug2: userauth_pubkey: authenticated 1 pkalg rsa-sha2-512
> 
> So even though all the current messages say that sha2 is used,
> something else is going on here. Nor client nor server is verifying
> that the signature itself is done using the requested algorithm.
> 
> So how to get around that?
> 
> The most robust solution would be to use ssh-agent extension protocol
> to negotiate these extensions also with the agent. The downside of this
> is that current implementations do not know the extension messages and
> fail if I remember well the gnome-keyring behavior. This would allow us
> to know what signature will be used in advance.
> 
> Other thing should be checking what signature we got from agent and if
> it is not the one we requested, downgrade the algorithm in the
> authentication packet to reflect the reality (or fail some way?).
> Similar thing should be done also on the server, where the verification
> also does not compare authentication header algorithm and the algorithm
> in the signature itself.
> 
> Is it intentional or did I miss something in my write-up?
> 
> This can be considered as a security issue, because all the logs say
> that stronger algorithm is used even if it is not true.
> 
> Regards,
> -- 
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat, Inc.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list