openssh bugs - Apr 2015 - [Bug 2387] New: sshd treats certificate extensions as critical

https://bugzilla.mindrot.org/show_bug.cgi?id=2387

            Bug ID: 2387
           Summary: sshd treats certificate extensions as critical
           Product: Portable OpenSSH
           Version: 6.8p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bob at veznat.com

sshd is treating certificate extensions as critical and is disallowing
logins using certificates with unknown extensions. This is happening
with v01 certificates and actually the bug is quite obvious when
looking for it in the code.

While I am abusing this feature somewhat to encode additional data in a
certificate such that it is covered by the certificate's signature this
bug has the more serious side effect that it will break backwards
compatibility in the future. If OpenSSH adds new cert extensions in a
new version older versions of sshd (all versions prior to 6.8) will
reject those certificates even though the extensions are supposed to be
optional.

Here's a sample certificate's ssh-keygen output:

        Type: ssh-rsa-cert-v01 at openssh.com user certificate
        Public key: RSA-CERT
1c:fd:36:27:db:48:3f:ad:e2:fe:55:45:67:b1:47:99
        Signing CA: RSA 62:af:90:1b:ef:b1:5a:c9:e0:2a:be:8b:3e:a9:25:18
        Key ID: "bvanzant+stage at brkt.com"
        Serial: 1
        Valid: from 2015-04-21T07:09:30 to 2015-04-21T09:11:30
        Principals:
                ec2-user
                ubuntu
        Critical Options: (none)
        Extensions:
                ca-environment UNKNOWN OPTION (len 5)
                ca-reason UNKNOWN OPTION (len 17)
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty

Notice the two non-standard extensions. When I attempt to use this
certificate sshd logs:

sshd[30925]: error: Certificate critical option "ca-environment" is
not
supported

The relevant code is at lines 597 and 603 of auth-options.c
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c?annotate=1.65

Notice the fourth parameter is set to 1 in both the critical and
extensions cases. This tells parse_option_list to treat the things
being parsed as critical. I believe that the call on line 603 should
have crit set to 0.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2387

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
Leaving aside the discussion of this particular bug, if you are adding
your own extensions to the certificates you should probably be using
your own namespace (ie $foo@$yourdomain, as per RFC4251 section 6),
otherwise you risk future breakage if OpenSSH adds a like-named one.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2387

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
   Attachment #2598|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 2598
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2598&action=edit
accept unrecognised extensions

Yeah, that's wrong. (Do follow Darren's advice though)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2387

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2360

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2387

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2598|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2387

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
committed - this will be in openssh-6.9

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2387

--- Comment #4 from Bob Van Zant <bob at veznat.com> ---
You guys are fast, thank you. And I'll change the format of my
extension names, thank you for pointing that out.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2387

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.