bugzilla-daemon at mindrot.org
2024-Nov-19 07:23 UTC
[Bug 3752] New: ssh agent with host constraints fails creating a signature
https://bugzilla.mindrot.org/show_bug.cgi?id=3752
Bug ID: 3752
Summary: ssh agent with host constraints fails creating a
signature
Product: Portable OpenSSH
Version: 9.9p1
Hardware: All
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: t.cools at televic.com
Created attachment 3842
--> https://bugzilla.mindrot.org/attachment.cgi?id=3842&action=edit
It's a patch file; when applied , I can connect using ssh certificates
and host constraints.
Hi,
I've tried using SSH certificates with host constraints in the agent,
however I get the following error:
in ssh:
```
debug1: Server accepts key: thibault at emil ED25519-CERT
SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00 at openssh.com
with ED25519-CERT SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ
debug2: sign_and_send_pubkey: using private key "thibault at emil"
from
agent for certificate
debug3: sign_and_send_pubkey: signing using
ssh-ed25519-cert-v01 at openssh.com
SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ
sign_and_send_pubkey: signing failed for ED25519 "thibault at emil"
from
agent: agent refused operation
```
in ssh-agent:
```
process_sign_request2: refusing use of destination-constrained key to
sign an unidentified signature
```
There seems to be a mismatch in the keys used for signing. When host
constraints are used, the userauth request is parsed and the key that
should do the signing does not seem to match the key that is referenced
in the message. (see:
https://github.com/openssh/openssh-portable/blob/V_9_9_P1/ssh-agent.c#L876)
I have a patch, but it's applicable on the ssh client instead of the
agent, because it seems to work. See attachments.
If you want to reproduce:
1. Create an agent
2. Have a server that accepts SSH certificates
3. Sign a certificate and add it to the agent with a host constraint
4. Try SSH connection with the server
I am not experienced with the code base and the patch might not be
correct, I thought perhaps it could be useful. If I can help, let me
know.
Kind regards,
Thibault
--
You are receiving this mail because:
You are watching the assignee of the bug.
Reasonably Related Threads
- Apple's SSH x OpenSSH (brew) x CTK x Security Key types
- [Bug 3406] New: RSA key authentication doesn't work with enabled GSSAPIKeyExchange: sign_and_send_pubkey: internal error: initial hostkey not recorded
- LLVM Releases
- [Bug 3748] New: "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature type not supported from ssh agent
- [Bug 2550] New: ssh can't use an in-memory-only certificate