bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-10 23:12 UTC
[Bug 2550] New: ssh can't use an in-memory-only certificate
https://bugzilla.mindrot.org/show_bug.cgi?id=2550
Bug ID: 2550
Summary: ssh can't use an in-memory-only certificate
Product: Portable OpenSSH
Version: 7.2p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: mindrot at hda3.com
I have an ssh certificate authority setup where a user can ssh to it
(forwarding their agent) and when they authenticate, the CA generates a
new ssh cert and adds it directly to their ssh-agent. the cert then
shows up on their agent like so
$ ssh-add -l
2048 85:0d:c1:cc:50:6b:24:93:74:33:61:88:00:ab:88:dd [Valid until Fri
11 Mar 2016 18:10 UTC, Version 2] (RSA-CERT)
the cert has the appropriate private key embedded in it, but the
private key isn't added separately.
prior to commit 4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8, just having
the cert on the user's agent process worked as expected. After that
commit, the user needs both the private and the cert (also with the
private key) loaded together to work.
if I try to use just the cert after this commit, I see:
debug1: Server accepts key: pkalg ssh-rsa-cert-v01 at openssh.com blen
2769
debug2: input_userauth_pk_ok: fp
SHA256:XiFOO+XzZ0m/aWzkQLgxVFI2HJV3abWpNyuIhcEYKuc
debug3: sign_and_send_pubkey: RSA-CERT
SHA256:XiFOO+XzZ0m/aWzkQLgxVFI2HJV3abWpNyuIhcEYKuc
debug1: sign_and_send_pubkey: no private key for certificate "[Valid
until Fri 11 Mar 2016 18:10 UTC, Version 2]"
if I modify the ca to add both the cert (with private key) and the
private key, so my agent looks like this:
$ ./ssh-add -l
2048 SHA256:nZkpX+sy5o/9r7H5JSilHN6YmQMAipZphtZHgVNA3Gs [Valid until
Fri 11 Mar 2016 19:08 UTC, Version 2] (RSA)
2048 SHA256:nZkpX+sy5o/9r7H5JSilHN6YmQMAipZphtZHgVNA3Gs [Valid until
Fri 11 Mar 2016 19:08 UTC, Version 2] (RSA-CERT)
and now I can use those creds to ssh
debug1: Server accepts key: pkalg ssh-rsa-cert-v01 at openssh.com blen
2769
debug2: input_userauth_pk_ok: fp
SHA256:nZkpX+sy5o/9r7H5JSilHN6YmQMAipZphtZHgVNA3Gs
debug3: sign_and_send_pubkey: RSA-CERT
SHA256:nZkpX+sy5o/9r7H5JSilHN6YmQMAipZphtZHgVNA3Gs
debug2: sign_and_send_pubkey: using private key "[Valid until Fri 11
Mar 2016 19:08 UTC, Version 2]" from agent for certificate
My c-chops have grown dull in the last 10 months, but I can work up a
patch for this. It seems like, unless there's some particular reason
not to do this, the
if (key_is_cert(id->key)) {
...
}
could also check the private key on the cert .. ? I'm not sure how that
works with a remote ssh client accessing a forwarded agent.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-10 23:13 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550
Peter Moody <mindrot at hda3.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|ssh can't use an |ssh can't use an
|in-memory-only certificate |in-memory-only certificate
| |that doesn't also have
| |another in-memory private
| |key
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-12 03:34 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Status|NEW |ASSIGNED
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 2798
--> https://bugzilla.mindrot.org/attachment.cgi?id=2798&action=edit
don't disregard already-certified keys
I think this might fix it.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-12 04:40 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550
--- Comment #2 from Peter Moody <mindrot at hda3.com> ---
nope :(
this works tho:
if (sshkey_equal_public(id->key, private_id->key) &&
id == private_id) {
I added a
debug2("id %p (id %d), private id %p (id %d)", id,
id->key->type,
private_id, private_id->key->type);
to the match, and this is the -vvv output
debug1: Server accepts key: pkalg ssh-rsa-cert-v01 at openssh.com blen
2769
debug2: input_userauth_pk_ok: fp
SHA256:5U6bsClkHE1aWyFRkKbynEtiK8QD3/Nf3cxeUSR+BCA
debug3: sign_and_send_pubkey: RSA-CERT
SHA256:5U6bsClkHE1aWyFRkKbynEtiK8QD3/Nf3cxeUSR+BCA
debug2: id 0x7fab613164d0 (id 5), private id 0x7fab613164d0 (id 5)
debug2: sign_and_send_pubkey: using private key "[Valid until Sat 12
Mar 2016 11:55 UTC, Version 2]" from agent for certificate
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
this is my ssh-agent
pmoody at pmoody (148) 04:39 (.git 7.2p1)
/home/pmoody/src/openssh-portable
$ ./ssh-add -l
2048 SHA256:5U6bsClkHE1aWyFRkKbynEtiK8QD3/Nf3cxeUSR+BCA [Valid until
Sat 12 Mar 2016 11:55 UTC, Version 2] (RSA-CERT)
pmoody at pmoody (0) 04:39 (.git 7.2p1) /home/pmoody/src/openssh-portable
$
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-12 04:51 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550 --- Comment #3 from Peter Moody <mindrot at hda3.com> --- sorry, I forgot to include this. here was the output with your patch debug1: Offering RSA-CERT public key: [Valid until Sat 12 Mar 2016 11:55 UTC, Version 2] debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-rsa-cert-v01 at openssh.com blen 2769 debug2: input_userauth_pk_ok: fp SHA256:5U6bsClkHE1aWyFRkKbynEtiK8QD3/Nf3cxeUSR+BCA debug3: sign_and_send_pubkey: RSA-CERT SHA256:5U6bsClkHE1aWyFRkKbynEtiK8QD3/Nf3cxeUSR+BCA debug1: sign_and_send_pubkey: no private key for certificate "[Valid until Sat 12 Mar 2016 11:55 UTC, Version 2]" debug1: Trying private key: /home/pmoody/.ssh/id_rsa debug3: no such identity: /home/pmoody/.ssh/id_rsa: No such file or directory debug1: Trying private key: /home/pmoody/.ssh/id_dsa debug3: no such identity: /home/pmoody/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/pmoody/.ssh/id_ecdsa debug3: no such identity: /home/pmoody/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /home/pmoody/.ssh/id_ed25519 debug3: no such identity: /home/pmoody/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-12 18:51 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2798|0 |1
is obsolete| |
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Created attachment 2799
--> https://bugzilla.mindrot.org/attachment.cgi?id=2799&action=edit
attempt 2: try cert if no separate key matches
Try this one instead - it just falls back to using the certificate
directly if no other private key matches.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-12 20:03 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550 --- Comment #5 from Peter Moody <mindrot at hda3.com> --- that works, thanks! -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-14 16:24 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2543
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Committed, this will be in OpenSSH 7.3 - thanks!
commit c38905ba391434834da86abfc988a2b8b9b62477
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Mar 14 16:20:54 2016 +0000
upstream commit
unbreak authentication using lone certificate keys in
ssh-agent: when attempting pubkey auth with a certificate, if no
separate
private key is found among the keys then try with the certificate
key itself.
bz#2550 reported by Peter Moody
Upstream-ID: f939cd76d68e6a9a3d1711b5a943d6ed1e623966
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2543
[Bug 2543] Tracking bug for OpenSSH 7.3 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Apr-28 00:50 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550
Colin Watson <cjwatson at debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cjwatson at debian.org
--- Comment #7 from Colin Watson <cjwatson at debian.org> ---
It might not hurt to update the comment above that block too, which in
master still reads:
/*
* If the key is an certificate, try to find a matching private
key
* and use it to complete the signature.
* If no such private key exists, return failure and continue
with
* other methods of authentication.
*/
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Apr-29 09:20 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550 --- Comment #8 from Damien Miller <djm at mindrot.org> --- Good point, Colin - fixed. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-02 00:41 UTC
[Bug 2550] ssh can't use an in-memory-only certificate that doesn't also have another in-memory private key
https://bugzilla.mindrot.org/show_bug.cgi?id=2550
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #9 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 2598] New: ssh-agent very occasionally won't remove keys or certs despite now() >= lifetime
- SSH Agent Forwarding Not Working
- Call for testing: OpenSSH 7.7
- CESA-2017:2550 Moderate CentOS 6 poppler Security Update
- eigen() error: R Version 1.6.1 on Mac OS X (PR#2550)