openssh unix dev - Nov 2024 - [PATCH 0/2] Specify signature algorithm during server hostkeys prove

From: Maxime Rey <maximejeanrey at gmail.com>

Hello,

I've discovered an issue with sshd when it's configured to use the SSH
agent
alongside multiple host keys. Specifically, this problem happens during the
hostkeys-prove-00 at openssh.com request, when the server attempts to
demonstrate ownership of the host keys by calling the agent.

The issue occurs because, while processing the hostkeys-prove-00 at openssh.com
request, sshd does not specify the signature algorithm in its call to
the agent. As a result, when sshd attempts to verify the response, it
encounters an error due to the missing algorithm specification.

To address this, I have made two contributions:

    1 - A modified hostkey-agent.sh regression test that reproduces the issue
    under these conditions.
    2 - A patch in serverloop.c to correct the error
    by ensuring the algorithm is explicitly specified during the
    hostkeys-prove-00 at openssh.com response.

Thank you for your time and feedback.

Best regards,
Maxime

Maxime Rey (2):
  Add test to cover multiple server hostkeys with agent
  Specify signature algorithm during server hostkeys prove

 regress/hostkey-agent.sh | 31 +++++++++++++++++++++++++++++++
 serverloop.c             |  3 +++
 2 files changed, 34 insertions(+)

-- 
2.47.0

From: Maxime Rey <maximejeanrey at gmail.com>

This tests the hostkey-prove mechanism in sshd when provided with multiple
host keys managed by the agent
---
 regress/hostkey-agent.sh | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 222d424bd..3fa80655e 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -82,6 +82,37 @@ for k in $SSH_CERTTYPES ; do
 	fi
 done
 
+# Run sshd with multiple keys handeled by agent
+
+cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+
+mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
+grep -vi 'globalknownhostsfile' $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
+echo "UpdateHostkeys=yes" >> $OBJ/ssh_proxy
+echo "GlobalKnownHostsFile=none" >> $OBJ/ssh_proxy
+
+read -p "Doing the multiple keys (y/n)? " answer
+for k in $SSH_KEYTYPES ; do
+	verbose "Addkey type $k"
+	echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy
+
+	( printf 'localhost-with-alias ' ;
+    cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts
+done
+
+opts="-oStrictHostKeyChecking=yes -F $OBJ/ssh_proxy"
+SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
+
+if [ $? -ne 0 ]; then
+	fail "Hostkeys-prove error. Unable to proceed"
+fi
+if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ];
then
+	fail "bad SSH_CONNECTION key type $k"
+fi
+
+
+read -p "End (y/n)? " answer
+
 trace "kill agent"
 ${SSHAGENT} -k > /dev/null
 
-- 
2.47.0

From: Maxime Rey <maximejeanrey at gmail.com>

Set sigalg to the correct key algorithm for every key type.  This
allow sshd to verify the signing algorithm used by ssh-agent
during the hostkey-prove.
---
 serverloop.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/serverloop.c b/serverloop.c
index 757cc6f02..4ef7998cb 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -699,6 +699,9 @@ server_input_hostkeys_prove(struct ssh *ssh, struct sshbuf
**respp)
 			else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED)
 				sigalg = "rsa-sha2-256";
 		}
+		else
+			sigalg = sshkey_ssh_name(key);
+
 		debug3_f("sign %s key (index %d) using sigalg %s",
 		    sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg);
 		if ((r = sshbuf_put_cstring(sigbuf,
-- 
2.47.0

Thanks, these have all been committed and will be in openssh-10.0.

Thanks especially for writing the regression test.

-d

On Tue, 12 Nov 2024, maximejeanrey at gmail.com wrote:
> From: Maxime Rey <maximejeanrey at gmail.com>
> 
> Hello,
> 
> I've discovered an issue with sshd when it's configured to use the
SSH agent
> alongside multiple host keys. Specifically, this problem happens during the
> hostkeys-prove-00 at openssh.com request, when the server attempts to
> demonstrate ownership of the host keys by calling the agent.
> 
> The issue occurs because, while processing the hostkeys-prove-00 at
openssh.com
> request, sshd does not specify the signature algorithm in its call to
> the agent. As a result, when sshd attempts to verify the response, it
> encounters an error due to the missing algorithm specification.
> 
> To address this, I have made two contributions:
> 
>     1 - A modified hostkey-agent.sh regression test that reproduces the
issue
>     under these conditions.
>     2 - A patch in serverloop.c to correct the error
>     by ensuring the algorithm is explicitly specified during the
>     hostkeys-prove-00 at openssh.com response.
> 
> Thank you for your time and feedback.
> 
> Best regards,
> Maxime
> 
> Maxime Rey (2):
>   Add test to cover multiple server hostkeys with agent
>   Specify signature algorithm during server hostkeys prove
> 
>  regress/hostkey-agent.sh | 31 +++++++++++++++++++++++++++++++
>  serverloop.c             |  3 +++
>  2 files changed, 34 insertions(+)
> 
> -- 
> 2.47.0
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>