thr3ads.net - openssh bugs - [Bug 2944] New: ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com [Dec 2018]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2018-Dec-18 11:56 UTC

[Bug 2944] New: ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com

https://bugzilla.mindrot.org/show_bug.cgi?id=2944

            Bug ID: 2944
           Summary: ssh-agent returns incorrect signature type for
                    rsa-sha2-512-cert-v01 at openssh.com and
                    rsa-sha2-256-cert-v01 at openssh.com
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: daa at open.ch

Created attachment 3216
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3216&action=edit
Patch for authfd.c to consider rsa-sha2-*cert algorithm types to
properly request the signature at the agent

After upgrading to 7.9p1 we encountered the following warnings during
ssh client usage:


agent key RSA-CERT SHA256:IC6hv9VA5eBGO2oW0vRB8zkOvl954JwZ5KHU2lnaHW4
returned incorrect signature type


The detailed output shows the following: 

debug1: Server accepts key: /home/daa/.ssh/id_rsa RSA-CERT
SHA256:lSQIkaEaSCKJLOi5eV0Z+7fR8W/Z1nm1+DHAupcdk5M explicit agent
debug3: sign_and_send_pubkey: RSA-CERT
SHA256:lSQIkaEaSCKJLOi5eV0Z+7fR8W/Z1nm1+DHAupcdk5M
debug2: sign_and_send_pubkey: using private key
"/home/daa/.ssh/id_rsa"
from agent for certificate
debug3: sign_and_send_pubkey: signing using
rsa-sha2-512-cert-v01 at openssh.com
agent key RSA-CERT SHA256:lSQIkaEaSCKJLOi5eV0Z+7fR8W/Z1nm1+DHAupcdk5M
returned incorrect signature type
debug3: sign_and_send_pubkey: signing using
ssh-rsa-cert-v01 at openssh.com
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).

Openssh 7.8p1 was only using ssh-rsa-cert-v01 at openssh.com when using
RSA-CERT.

A quick look at the authfd.c file, leads me to the conclusion that the
agent_encode_alg does not properly consider RSA-CERT in the signature
algorithm encoding, so that not a rsa-sha2-* signature is requested at
the ssh-agent.

I've attached a patch fixing this obvious error, please feel free to
adjust the patch if required.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2019-Jan-22 11:13 UTC

head link

[Bug 2944] ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com

https://bugzilla.mindrot.org/show_bug.cgi?id=2944

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
   Attachment #3216|application/octet-stream    |text/plain
          mime type|                            |
   Attachment #3216|0                           |1
           is patch|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2019-Jan-22 11:16 UTC

head link

[Bug 2944] ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com

https://bugzilla.mindrot.org/show_bug.cgi?id=2944

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2915
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
A fix for this was committed last year and will be in OpenSSH 8.0. It's
also committed on the stable V_7_9 branch if you want to cherry-pick
it.

https://anongit.mindrot.org/openssh.git/commit/authfd.c?id=007a88b48c97d092ed2f501bbdcb70d9925277be


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2915
[Bug 2915] Tracking bug for 8.0 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at mindrot.org

2021-Apr-23 05:10 UTC

head link

[Bug 2944] ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com

https://bugzilla.mindrot.org/show_bug.cgi?id=2944

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

openssh bugs - Dec 2018 - [Bug 2944] New: ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com

[Bug 2944] New: ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com

[Bug 2944] ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com

[Bug 2944] ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com

[Bug 2944] ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com