openssh bugs - Sep 2020 - [Bug 3213] New: openssh 8.3p1 will not use any type of RSA key for legacy servers if ssh-rsa is not in PubkeyAcceptedKeyTypes

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

            Bug ID: 3213
           Summary: openssh 8.3p1 will not use any type of RSA key for
                    legacy servers if ssh-rsa is not in
                    PubkeyAcceptedKeyTypes
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: gordon.messmer at gmail.com

Created attachment 3446
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3446&action=edit
return correct key type name when connected to openssh server < 7.8

I could be wrong about all of the following, so let me just prefix
everything with, "To the best of my understanding:"

In OpenSSH 7.8, the semantics of PubkeyAcceptedKeyTypes was changed,
and older servers were marked with SSH_BUG_SIGTYPE.  For older servers,
ssh->kex->server_sig_algs appears to store a list of key types the
server supports, while on newer servers it stores a list of RSA
signature types that are supported.

sshconnect2.c:key_sig_algorithm will return a copy of the name of an
SSH key's type.  For everything except RSA keys, it will filter the
key's type against options.pubkey_key_types, but that doesn't make much
sense, because the key has already been verified to be a permitted type
by sshconnect2.c:pubkey_prepare.  (I haven't gone into the history, but
I'm guessing that this code used to filter against
ssh->kex->server_sig_algs instead.)

In other words, the private key type has already been checked against
the local security policy before key_sig_algorithm is called, so
key_sig_algorithm shouldn't be acting as a filter.  It should be
finding the correct name to refer to the client's key type.

I'd suggest dropping the call to match_list, and instead simply return
sshkey_ssh_name(key) for all non-RSA key types, and for RSA key types
when connecting to a legacy server with SSH_BUG_SIGTYPE set.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

--- Comment #1 from Gordon Messmer <gordon.messmer at gmail.com> ---
For example, I have an rsa-sha2-256 private key.  If I connect to a
server running openssh 7.4, and PubkeyAcceptedKeyTypes=ssh-rsa, then
the key is correctly handled by the openssh 8.3 client.  However, if
PubkeyAcceptedKeyTypes=rsa-sha2-256, then the key cannot be used.  

The openssh 8.3 client accepts the same key and configuration when used
to connect to openssh >= 7.8 servers.


$ ssh-keygen -l -f ~/.ssh/id_rsa_2015-11-02
4096 SHA256:.... gordon (RSA)

$ ssh -oPubkeyAcceptedKeyTypes=ssh-rsa -i ~/.ssh/id_rsa_2015-11-02
openssh74
Enter passphrase for key '/home/gordon/.ssh/id_rsa_2015-11-02': 
gordon at openssh74:~$ logout
Connection to 192.168.122.11 closed.

$ ssh -oPubkeyAcceptedKeyTypes=rsa-sha2-256 -i ~/.ssh/id_rsa_2015-11-02
openssh74
gordon at openssh74's password: 
gordon at openssh74:~$ logout
Connection to 192.168.122.11 closed.

$ ssh -oPubkeyAcceptedKeyTypes=rsa-sha2-256 -i ~/.ssh/id_rsa_2015-11-02
openssh78
Enter passphrase for key '/home/gordon/.ssh/id_rsa_2015-11-02': 
gordon at openssh78$

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
Please, have a look to the description in the following comment:

https://bugzilla.redhat.com/show_bug.cgi?id=1881301#c27

I believe this is a bug only in OpenSSH 7.4p1, which is in Debian 9 and
which is the only version that reports wrong server-sig-algs in the
extension. This means, either long-shot to fix this in Debian 9 (by
mostly reverting [1] as we did in RHEL7), the another long shot is
implement a compat fix for this particular openssh version in upstream
(not sure if it is worth it for that old release, but Debian 9 is still
quite common).

[1] https://github.com/openssh/openssh-portable/commit/130f5d

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Gordon Messmer <gordon.messmer at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3446|0                           |1
        is obsolete|                            |

--- Comment #3 from Gordon Messmer <gordon.messmer at gmail.com> ---
Created attachment 3448
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3448&action=edit
Use RSA keys for OpenSSH 7.4 servers, if local policy permits

Jakub Jelen helped me understand the code a little better, and to
understand that the premise of the previous patch was flawed.  This
version more specifically targets the lack of SHA2 hashes in
server-sig-algs when connecting to OpenSSH 7.4.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

--- Comment #4 from Jakub Jelen <jjelen at redhat.com> ---
Darren, Damien, can you check this patch if it would make sense for
you? We encountered this now in Fedora, because we disabled SHA1 in
signature algorithms. Others will have the same issue when you will do
the same upstream.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
   Attachment #3448|                            |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3217

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
looks reasonable to me.  Damien?


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3217
[Bug 3217] Tracking bug for 8.5 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
ok me too, but I think the compat code should be in its own function

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3270

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
retarget to 8.6


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3270
[Bug 3270] Tracking bug for 8.6 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|3217                        |


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3217
[Bug 3217] Tracking bug for 8.5 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Gordon Messmer <gordon.messmer at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3448|0                           |1
        is obsolete|                            |

--- Comment #8 from Gordon Messmer <gordon.messmer at gmail.com> ---
Created attachment 3476
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3476&action=edit
Use RSA keys for OpenSSH 7.4 servers, if local policy permits

I've rebased the previous patch and moved the compat code to its own
function.

Using a custom config matching Fedora's current default to connect to a
Debian 9 (openssh 7.4) VM, I've verified that an RSA key will be used
successfully with the patch, and will not be attempted without it.

Host 192.168.122.246
        PubkeyAcceptedAlgorithms
ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01 at
openssh.com,sk-ecdsa-sha2-nistp256 at
openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at
openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01 at
openssh.com,ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com,sk-ssh-ed25519 at
openssh.com,sk-ssh-ed25519-cert-v01 at
openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01 at
openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01 at openssh.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3302


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3302
[Bug 3302] Tracking bug for openssh-8.7
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
retarget after 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|3270                        |


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3270
[Bug 3270] Tracking bug for 8.6 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3476|0                           |1
        is obsolete|                            |
             Status|NEW                         |ASSIGNED
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
   Attachment #3527|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #10 from Damien Miller <djm at mindrot.org> ---
Created attachment 3527
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3527&action=edit
simplified patch

Semi-reversing what I said previously, there is a simpler approach if
the test remains in the function.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3527|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #11 from Damien Miller <djm at mindrot.org> ---
This has been committed as 4265215d7 and will be in OpenSSH 8.7 -
thanks.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Joey Berkovitz <joeyberkovitz at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |joeyberkovitz at gmail.com

--- Comment #12 from Joey Berkovitz <joeyberkovitz at gmail.com> ---
It seems that this fix doesn't entirely resolve the issue. I tested on
Fedora 34 with OpenSSH 8.7p1 and I get an error when using an OpenSSH
certificate to connect to a CentOS 7 server running OpenSSH 7.4p1. The
error message is as follows: `send_pubkey_test: no mutual signature
algorithm`

Adding `PubkeyAcceptedKeyTypes +ssh-rsa` allows the connection to go
through, but I don't think that it should be necessary.

For reference, the cert is of type `ssh-rsa-cert-v01 at openssh.com`. The
public key on the cert is `RSA-CERT SHA256` and the Signing CA uses
`ssh-ed25519`

Please let me know if this can be fixed with a similar compat code
change

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3213

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #13 from Damien Miller <djm at mindrot.org> ---
closing bugs resolved before openssh-8.9

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.