openssh bugs - Nov 2024 - [Bug 3752] New: ssh agent with host constraints fails creating a signature

https://bugzilla.mindrot.org/show_bug.cgi?id=3752

            Bug ID: 3752
           Summary: ssh agent with host constraints fails creating a
                    signature
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: t.cools at televic.com

Created attachment 3842
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3842&action=edit
It's a patch file; when applied , I can connect using ssh certificates
and host constraints.

Hi,

I've tried using SSH certificates with host constraints in the agent,
however I get the following error:

in ssh:
```
debug1: Server accepts key: thibault at emil ED25519-CERT
SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00 at openssh.com
with ED25519-CERT SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ
debug2: sign_and_send_pubkey: using private key "thibault at emil"
from
agent for certificate
debug3: sign_and_send_pubkey: signing using
ssh-ed25519-cert-v01 at openssh.com
SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ
sign_and_send_pubkey: signing failed for ED25519 "thibault at emil"
from
agent: agent refused operation
```

in ssh-agent:
```
process_sign_request2: refusing use of destination-constrained key to
sign an unidentified signature
```

There seems to be a mismatch in the keys used for signing. When host
constraints are used, the userauth request is parsed and the key that
should do the signing does not seem to match the key that is referenced
in the message. (see:
https://github.com/openssh/openssh-portable/blob/V_9_9_P1/ssh-agent.c#L876)

I have a patch, but it's applicable on the ssh client instead of the
agent, because it seems to work. See attachments.

If you want to reproduce:
1. Create an agent
2. Have a server that accepts SSH certificates
3. Sign a certificate and add it to the agent with a host constraint
4. Try SSH connection with the server

I am not experienced with the code base and the patch might not be
correct, I thought perhaps it could be useful. If I can help, let me
know.

Kind regards,
Thibault

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3752

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3842|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 3842
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3842
It's a patch file; when applied , I can connect using ssh certificates
and host constraints.

This looks okay to me.

Context for Darren: this block finds private keys matching certificates
and should be skipped for keys that have agent_fd set because any
agent-backed key already, by definition, has the private key set

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3752

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3842|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.