Skip to content

ssh: fix public key and cert authentication compatibility with old clients #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

ssh: fix public key and cert authentication compatibility with old clients #261

wants to merge 1 commit into from

Conversation

drakkan
Copy link
Member

@drakkan drakkan commented Jun 21, 2023

after adding support for rsa-sha2-256/512 on server side some edge cases started to arise with old clients:

  1. public key authentication with gpg-agent < 2.2.6 fails because we receive ssh-rsa as signature format and rsa-sha2-256 or rsa-sha2-512 as algorithm. This is a bug in gpg-agent fixed in this commit

gpg/gnupg@80b775b

  1. certificate authentication fails with OpenSSH 7.2-7.7 because we receive [email protected] as algorithm and rsa-sha2-256 or rsa-sha2-512 as signature format

This is a more scoped version of:

https://go-review.googlesource.com/c/crypto/+/412854

with this patch we only allow the edge cases observed and not any possible variant.

I have compiled from source and tested every version of OpenSSH from 7.1 to 7.9

@gopherbot
Copy link
Contributor

This PR (HEAD: 964601a) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/crypto/+/504796 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Uncyclo page for more info

@stanhu stanhu mentioned this pull request Jun 22, 2023
Closed
@gopherbot
Copy link
Contributor

Message from Ian Lance Taylor:

Patch Set 1:

(4 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/504796.
After addressing review feedback, remember to publish your drafts!

@drakkan drakkan force-pushed the ssh-sha2-compat branch 2 times, most recently from cae0660 to ad2f81d Compare June 24, 2023 13:56
@drakkan
ssh: fix certificate and public key authentication with older clients
4abd197 
After adding support for rsa-sha2-256/512 on server side some edge
cases started to arise with old clients:

1) public key authentication with gpg-agent < 2.2.6 fails because we receive
   ssh-rsa as signature format and rsa-sha2-256 or rsa-sha2-512 as algorithm.
   This is a bug in gpg-agent fixed in this commit:

   gpg/gnupg@80b775b

2) certificate authentication fails with OpenSSH 7.2-7.7 because we receive
   [email protected] as algorithm and rsa-sha2-256 or rsa-sha2-512
   as signature format.

This is a more scoped version of CL 412854, with this patch we only allow
the edge cases observed and not any possible variant.

This patch is tested with every version of OpenSSH from 7.1 to 7.9.

Fixes golang/go#53391
@gopherbot
Copy link
Contributor

This PR (HEAD: 4abd197) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/crypto/+/504796 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Uncyclo page for more info

@gopherbot
Copy link
Contributor

Message from Nicola Murino:

Patch Set 2:

(5 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/504796.
After addressing review feedback, remember to publish your drafts!

@drakkan drakkan closed this Jun 28, 2023
@jakule
Copy link

jakule commented Jun 28, 2023

@drakkan Why has this issue been closed?

@drakkan
Copy link
Member Author

drakkan commented Jun 28, 2023

@drakkan Why has this issue been closed?

I sent an updated CL

https://go-review.googlesource.com/c/crypto/+/506835

I hope this one can be merged

@drakkan
Copy link
Member Author

drakkan commented Jun 28, 2023

@jakule @stanhu please also check this CL

https://go-review.googlesource.com/c/crypto/+/506837

should ensure that incompatibilities with ssh cli are caught sooner

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@drakkan @gopherbot @jakule