OpenSSH key problem with OpenSSL 1.1.0i

mancha mancha1 at zoho.com
Wed Aug 29 05:48:42 AEST 2018 

Hi.

A user on #openssh on irc at freenode (nickname Gisle) reported problems
with an OpenSSH RSA private key (OpenSSL-style PEM) after upgrading from
OpenSSL 1.1.0g to OpenSSL 1.1.0i.

*** CAVEAT LECTOR: OpenSSH doesn't yet support OpenSSL 1.1.0+ ***

By the time I realized OpenSSH doesn't support this configuration, I had
debugged the problem. Gisle's distrib, Arch Linux, patches OpenSSH to
allow this combination [1].

My findings might help the OpenSSH team prepare its OpenSSL 1.1.0+
support and help distros already building against OpenSSL 1.1.0+ via
distro patches:

As of OpenSSL 1.1.0i, zero-length passwords are allowed [2]. So,
handlers like PEM_do_header() no longer return PEM_R_BAD_PASSWORD_READ
when passed an encrypted PEM and an empty password.

If an OpenSSH key doesn't successfully decrypt with an empty password,
then it doesn't matter. OpenSSH merely gets a "bad decrypt" error from
OpenSSL rather than a "bad password read" but both get mapped to
SSH_ERR_KEY_WRONG_PASSPHRASE.

However, problems arise when a key "successfully" decrypts with an empty
password. In those cases OpenSSH gets a set of ASN.1 decoding errors
that it maps to SSH_ERR_INVALID_FORMAT. I've created an example of such
a key (see attached: poc.pem with password "mancha").

You can trigger the behavior by trying to use poc.pem for public key
authentication or by trying to change its passphrase (i.e. ssh-keygen
-pf poc.pem).

Relevant OpenSSH code can be found in several places, such as:

--------sshconnect2.c--------
  1363          snprintf(prompt, sizeof prompt,
  1364              "Enter passphrase for key '%.100s': ", id->filename);
  1365          for (i = 0; i <= options.number_of_password_prompts; i++) {
  1366                  if (i == 0)
  1367                          passphrase = "";
  1368                  else {
  1369                          passphrase = read_passphrase(prompt, 0);
  1370                          if (*passphrase == '\0') {
  1371                                  debug2("no passphrase given, try next key");
  1372                                  free(passphrase);
  1373                                  break;
  1374                          }
  1375                  }
  1376                  switch ((r = sshkey_load_private_type(KEY_UNSPEC, id->filename,
-----------------------------

and

--------ssh-keygen.c---------
  1333          /* Try to load the file with empty passphrase. */
  1334          r = sshkey_load_private(identity_file, "", &private, &comment);
  1335          if (r == SSH_ERR_KEY_WRONG_PASSPHRASE) {
  1336                  if (identity_passphrase)
  1337                          old_passphrase = xstrdup(identity_passphrase);
  1338                  else
  1339                          old_passphrase =
  1340                              read_passphrase("Enter old passphrase: ",
  1341                              RP_ALLOW_STDIN);
  1342                  r = sshkey_load_private(identity_file, old_passphrase,
  1343                      &private, &comment);
  1344                  explicit_bzero(old_passphrase, strlen(old_passphrase));
  1345                  free(old_passphrase);
  1346                  if (r != 0)
  1347                          goto badkey;
  1348          } else if (r != 0) {
  1349   badkey:
  1350                  fatal("Failed to load key %s: %s", identity_file, ssh_err(r));
  1351          }
-----------------------------

Cheers,

--mancha (https://twitter.com/mancha140)

PS While preparing this report, Gisle pointed me to a forum of Arch
Linux users who seem to be discussing this [3].

[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/openssl-1.1.0.patch?h=packages/openssh
[2] https://github.com/openssl/openssl/commit/c82c3462267afd
[3] https://bugs.archlinux.org/task/59730
-------------- next part --------------
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,7F7D1833C85C619E476F4D3534FC8AF3

PFz3JWUvKSIyfRaMb//hOerAYfxDYwp+Ek7lY+UFH7EbAfItO2rOMHVaIHrR70c5
+2v9obOOoU1hXWXKjGPr5oH0P5wkn997JjJ2w3OK3cBMVeH9CcFwVw7HXcCu+wvR
UGT7rKS16Q34q95aDqoUwZzHQ0aG1AspASFchjuh9CAKfqiWljblILMyqO5xHtz+
/59KdUv6qt/4U8d2OdNSWsBDzcHeKVABsNqD/jRLWOm/WscvffGyjuhwiTFgCcwN
ly2A9W4QqH2QqS+b4kfv5W+TfqF/5UlcqP/cFfT5CMoRXQiDXGQ5TawF7wYUnoRp
ymLDko50Ana1a8CmdVaP15r7y2g+Z4+DF9/elPLV28lQiEUCwOgbYgQHkUjWu+zI
LdUjfFFC1gzfR5t2iSnz6bACEpqeCho0eLLAfGKY2RvEYURoHWzrGCv/7AVLAe3O
9JG2kllfo33EjeCJDvXQUceSU04AqgeVv/4GiMNtl9+mYkFeQi27ofNb3ni3KH2Q
osbCptXtB0/eIuKS1Ubj0d/Nzme5JLQQG347OO3UnfLB7Dc7WKfDj29qG31sf+W4
Swrh7Uf4GC/09oo0DuFRjNZJE1G1IAEVs2xKGr8tWXX6Z8D9gqZeid6F5cbvhcLG
iGgPSEiYrmwAUMkP8K/m2eYSatqDT9XCNxVHsl1godJpbsoJ04g6iuegaXVFWTHs
9vspZuy/4VCb2nWGHUd4nEJDiwwSwJug0n2nd9h1yB5pFMtnlMsowV/D3cL22xyU
S16O0+0YTzRacUqDIMP/iiAsw3r8DpJrBRsjigzo09B76yQnq5BK8jdm86/1RnZY
-----END RSA PRIVATE KEY-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180828/39a79a4f/attachment.asc>

More information about the openssh-unix-dev mailing list