openssh bugs - Nov 2020 - [Bug 3228] New: A client with an ssh agent can login with a revoked certificate

https://bugzilla.mindrot.org/show_bug.cgi?id=3228

            Bug ID: 3228
           Summary: A client with an ssh agent can login with a revoked
                    certificate
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sebelk at gmail.com

A client with a ssh agent can login with a revoked certificate.

Steps:

1. On ssh server (CentOS 8) revoke a client certificate 
ssh-keygen -k -f  /etc/ssh/keys/krl.list -z1  sergio_id_rsa-cert.pub

2. Verify that client is revoked

 ssh-keygen -v -Q -f /etc/ssh/keys/krl.list
/etc/ssh/keys/sergio_id_rsa-cert.pub
debug1: KRL version 1 generated at 20201103T104547
/etc/ssh/keys/sergio_id_rsa-cert.pub (sergio at dublin.ireland.home):
REVOKED

2. On a ssh client check that ssh-agent is running

pgrep -a ssh-agent
4487 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c
"/usr/bin/startplasma-x11"

3. From that ssh client try to connect to ssh server with the revoked
certificate:

ssh  -i .ssh/sergio_lxc-cert.pub root at 10.0.3.111 
Last login: Tue Nov  3 11:11:29 2020 from 10.0.3.1
[root at centos8-neovim ~]# 

What one can expect is that ssh server reject the attempt but it does
not:

log file has:

... Accepted publickey for root from 10.0.3.1 port 48524...

Only after deleting identity from the agent on ssh client side the ssh
server rejects the agent:


ssh-add -d /home/sergio/.ssh/id_rsa_SA
Identity removed: /home/sergio/.ssh/id_rsa_SA 


error: Authentication key ... revoked by file /etc/ssh/keys/krl.list


So, one depends of the good will of the client side of removing the
identity of agent.

(the client used in this testing is openssh-8.3p1 on Fedora 32

Note: I've found that adding the certificate as plain text on
RevokedKey file prevent the login immediately, but one can depend on
having the complete original certificate on hand.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3228

--- Comment #1 from sebelk at gmail.com ---
Errata: "but one can depend on having the complete original certificate
on hand." should be "but one must depend on having the complete
original certificate on hand."

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3228

--- Comment #2 from sebelk at gmail.com ---
Using Debian 9 as ssh server with version 7.4p1 : I can login even
using plain text on RevokedKeys files and deleting the private key on
the ssh-agent of client side...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3228

--- Comment #3 from sebelk at gmail.com ---
Mi mistake with mi earlier comment: I forget reload the service on
Debian, however on CentOS I really double checked that.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3228

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Please attach a debug log from sshd showing a successful login with the
revoked key.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3228

--- Comment #5 from sebelk at gmail.com ---
(In reply to Damien Miller from comment #4)
> Please attach a debug log from sshd showing a successful login with
> the revoked key.
Thanks Damien for your fast answer. I've found that client ssh was
trying more available certificates that was cached certificates and
some of them were not revoked, my apologies for the noise. You may want
to close the bug report.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3228

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
No worries!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3228

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.