bugzilla-daemon at mindrot.org
2024-Nov-19 07:23 UTC
[Bug 3752] New: ssh agent with host constraints fails creating a signature
https://bugzilla.mindrot.org/show_bug.cgi?id=3752 Bug ID: 3752 Summary: ssh agent with host constraints fails creating a signature Product: Portable OpenSSH Version: 9.9p1 Hardware: All OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: t.cools at televic.com Created attachment 3842 --> https://bugzilla.mindrot.org/attachment.cgi?id=3842&action=edit It's a patch file; when applied , I can connect using ssh certificates and host constraints. Hi, I've tried using SSH certificates with host constraints in the agent, however I get the following error: in ssh: ``` debug1: Server accepts key: thibault at emil ED25519-CERT SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ agent debug3: sign_and_send_pubkey: using publickey-hostbound-v00 at openssh.com with ED25519-CERT SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ debug2: sign_and_send_pubkey: using private key "thibault at emil" from agent for certificate debug3: sign_and_send_pubkey: signing using ssh-ed25519-cert-v01 at openssh.com SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ sign_and_send_pubkey: signing failed for ED25519 "thibault at emil" from agent: agent refused operation ``` in ssh-agent: ``` process_sign_request2: refusing use of destination-constrained key to sign an unidentified signature ``` There seems to be a mismatch in the keys used for signing. When host constraints are used, the userauth request is parsed and the key that should do the signing does not seem to match the key that is referenced in the message. (see: https://github.com/openssh/openssh-portable/blob/V_9_9_P1/ssh-agent.c#L876) I have a patch, but it's applicable on the ssh client instead of the agent, because it seems to work. See attachments. If you want to reproduce: 1. Create an agent 2. Have a server that accepts SSH certificates 3. Sign a certificate and add it to the agent with a host constraint 4. Try SSH connection with the server I am not experienced with the code base and the patch might not be correct, I thought perhaps it could be useful. If I can help, let me know. Kind regards, Thibault -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-06 09:22 UTC
[Bug 3752] ssh agent with host constraints fails creating a signature
https://bugzilla.mindrot.org/show_bug.cgi?id=3752 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org, | |dtucker at dtucker.net Attachment #3842| |ok?(dtucker at dtucker.net) Flags| | --- Comment #1 from Damien Miller <djm at mindrot.org> --- Comment on attachment 3842 --> https://bugzilla.mindrot.org/attachment.cgi?id=3842 It's a patch file; when applied , I can connect using ssh certificates and host constraints. This looks okay to me. Context for Darren: this block finds private keys matching certificates and should be skipped for keys that have agent_fd set because any agent-backed key already, by definition, has the private key set -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Dec-06 13:45 UTC
[Bug 3752] ssh agent with host constraints fails creating a signature
https://bugzilla.mindrot.org/show_bug.cgi?id=3752 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3842|ok?(dtucker at dtucker.net) |ok+ Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Maybe Matching Threads
- Apple's SSH x OpenSSH (brew) x CTK x Security Key types
- [Bug 3748] New: "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent
- LLVM Releases
- DO NOT REPLY [Bug 3752] New: rsync unusable with EncFS filesystem
- [Bug 2550] New: ssh can't use an in-memory-only certificate