openssh bugs - Jun 2013 - [Bug 1974] Support for encrypted host keys

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Zev Weiss <zev at bewilderbeest.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |zev at bewilderbeest.net
   Attachment #2125|0                           |1
        is obsolete|                            |

--- Comment #1 from Zev Weiss <zev at bewilderbeest.net> ---
Created attachment 2303
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2303&action=edit
Incomplete patch for sshd to use ssh-agent for hostkeys
>From mailing list post:
...assuming things look OK thus far, I'm considering how best to handle
the ssh-keysign problem.  Since it's executed by a user's ssh client,
it
won't have the server's SSH_AUTH_SOCK environment variable, so finding
the
socket to connect to is slightly tricky -- any problems with changing
it to
a (configurable) static, globally-known path?  Assuming not, then
there's
the question of *where* that would be configured -- sshd would need to
know
it, but ssh-keysign reads ssh_config, not sshd_config; requiring the
user
to configure the same path in both seems undesirable, as does having
either
one loading the other's config file.  I guess making it compile-time
configurable would sort of work, but also doesn't seem like a great
solution.  Any thoughts or suggestions on this?  Having a static,
configurable socket path does seem nice otherwise, so sshd could just
spawn
its own agent passing "-a $SOCKETPATH" if it encounters an encrypted
hostkey on startup, rather than, say, relying on an init script to
launch
ssh-agent and export the SSH_AUTH_SOCK variable to sshd (though I
suppose
there's really nothing stopping it from doing that anyway without a
static
socket path).

This version also (somewhat unnecessarily) bundles public keys into the
sensitive_data struct, but I didn't really see a more appropriate place
to
stash those.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #2 from Zev Weiss <zev at bewilderbeest.net> ---
djm's mailing list reply:
> I think it is down to adding another ssh_config option to configure a well-
> known agent socket for ssh-keysign or making ssh-keysign read sshd_config
> too. The latter might be desirable, since then it could detect which keys
> are actually in use. That being said, making it read ssh_config would be
> more flexible if people ran multiple ssh instances on their hosts. Maybe
> there is some third option that hasn't occurred to me...
-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Markus Friedl <markus at openbsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |markus at openbsd.org

--- Comment #3 from Markus Friedl <markus at openbsd.org> ---
(In reply to Zev Weiss from comment #2)
> djm's mailing list reply:
> 
> > I think it is down to adding another ssh_config option to configure a
well-
> > known agent socket for ssh-keysign or making ssh-keysign read
sshd_config
> > too. The latter might be desirable, since then it could detect which
keys
> > are actually in use. That being said, making it read ssh_config would
be
> > more flexible if people ran multiple ssh instances on their hosts.
Maybe
> > there is some third option that hasn't occurred to me...
problems:
1) calling both readconf() for ssh_config and sshd_config
   easy fix: rename struct options for either client or server config
2) however: i don't like the idea of having ssh-keysign
   run the parser code while running w/ uid 0
   we should avoid running that much code in a setuid tool...
   perhaps just disallow ssh-keysign for ssh-agent-setups :)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #4 from Markus Friedl <markus at openbsd.org> ---
oops, i've forgotten that we already have ServerOptions

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #5 from Markus Friedl <markus at openbsd.org> ---
Created attachment 2306
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2306&action=edit
(relative) patch that makes rekey work

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #6 from Markus Friedl <markus at openbsd.org> ---
Created attachment 2307
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2307&action=edit
full patch (against openbsd cvs)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 2307
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2307
full patch (against openbsd cvs)

Looks good
>@@ -1906,9 +1947,11 @@ main(int ac, char **av)
> 	buffer_init(&loginmsg);
> 	auth_debug_reset();
> 
>-	if (use_privsep)
>+	if (use_privsep) {
> 		if (privsep_preauth(authctxt) == 1)
> 			goto authenticated;
>+	} else if (compat20)
>+		auth_conn = ssh_get_authentication_connection();
Should agent use be dependent on a config option or a different
environment variable to SSH_AUTH_SOCK? I'd worry about people
restarting sshd and having it pick up their own agent...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
> 2) however: i don't like the idea of having ssh-keysign
>    run the parser code while running w/ uid 0
At least in this case the configs are root-owned.
>    we should avoid running that much code in a setuid tool...
>    perhaps just disallow ssh-keysign for ssh-agent-setups :)
I don't think we would get many complaints about this :)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

--- Comment #9 from Markus Friedl <markus at openbsd.org> ---
Created attachment 2308
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2308&action=edit
full patch, including HostKeyAgent option, no ssh-keysign changes

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2308|                            |ok+
              Flags|                            |

--- Comment #10 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 2308
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2308
full patch, including HostKeyAgent option, no ssh-keysign changes

nice!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Markus Friedl <markus at openbsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2303|0                           |1
        is obsolete|                            |
   Attachment #2306|0                           |1
        is obsolete|                            |
   Attachment #2307|0                           |1
        is obsolete|                            |
   Attachment #2308|0                           |1
        is obsolete|                            |

--- Comment #11 from Markus Friedl <markus at openbsd.org> ---
Created attachment 2309
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2309&action=edit
updated patch (against openbsd cvs)

fixes HostKeyAgent=SSH_AUTH_SOCK and
only opens the agent connection if HostKeyAgent
is actually configured.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2309|                            |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1974

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
             Blocks|                            |2076

--- Comment #12 from Damien Miller <djm at mindrot.org> ---
Markus has committed this. It will be in openssh-6.3. Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.