bugzilla-daemon at bugzilla.mindrot.org
2018-Dec-18 11:56 UTC
[Bug 2944] New: ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com
https://bugzilla.mindrot.org/show_bug.cgi?id=2944 Bug ID: 2944 Summary: ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01 at openssh.com and rsa-sha2-256-cert-v01 at openssh.com Product: Portable OpenSSH Version: 7.9p1 Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: daa at open.ch Created attachment 3216 --> https://bugzilla.mindrot.org/attachment.cgi?id=3216&action=edit Patch for authfd.c to consider rsa-sha2-*cert algorithm types to properly request the signature at the agent After upgrading to 7.9p1 we encountered the following warnings during ssh client usage: agent key RSA-CERT SHA256:IC6hv9VA5eBGO2oW0vRB8zkOvl954JwZ5KHU2lnaHW4 returned incorrect signature type The detailed output shows the following: debug1: Server accepts key: /home/daa/.ssh/id_rsa RSA-CERT SHA256:lSQIkaEaSCKJLOi5eV0Z+7fR8W/Z1nm1+DHAupcdk5M explicit agent debug3: sign_and_send_pubkey: RSA-CERT SHA256:lSQIkaEaSCKJLOi5eV0Z+7fR8W/Z1nm1+DHAupcdk5M debug2: sign_and_send_pubkey: using private key "/home/daa/.ssh/id_rsa" from agent for certificate debug3: sign_and_send_pubkey: signing using rsa-sha2-512-cert-v01 at openssh.com agent key RSA-CERT SHA256:lSQIkaEaSCKJLOi5eV0Z+7fR8W/Z1nm1+DHAupcdk5M returned incorrect signature type debug3: sign_and_send_pubkey: signing using ssh-rsa-cert-v01 at openssh.com debug3: send packet: type 50 debug3: receive packet: type 52 debug1: Authentication succeeded (publickey). Openssh 7.8p1 was only using ssh-rsa-cert-v01 at openssh.com when using RSA-CERT. A quick look at the authfd.c file, leads me to the conclusion that the agent_encode_alg does not properly consider RSA-CERT in the signature algorithm encoding, so that not a rsa-sha2-* signature is requested at the ssh-agent. I've attached a patch fixing this obvious error, please feel free to adjust the patch if required. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-22 11:13 UTC
[Bug 2944] ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com
https://bugzilla.mindrot.org/show_bug.cgi?id=2944 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Attachment #3216|application/octet-stream |text/plain mime type| | Attachment #3216|0 |1 is patch| | -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-22 11:16 UTC
[Bug 2944] ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com
https://bugzilla.mindrot.org/show_bug.cgi?id=2944 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2915 Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #1 from Damien Miller <djm at mindrot.org> --- A fix for this was committed last year and will be in OpenSSH 8.0. It's also committed on the stable V_7_9 branch if you want to cherry-pick it. https://anongit.mindrot.org/openssh.git/commit/authfd.c?id=007a88b48c97d092ed2f501bbdcb70d9925277be Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2915 [Bug 2915] Tracking bug for 8.0 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:10 UTC
[Bug 2944] ssh-agent returns incorrect signature type for rsa-sha2-512-cert-v01@openssh.com and rsa-sha2-256-cert-v01@openssh.com
https://bugzilla.mindrot.org/show_bug.cgi?id=2944 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.