Key verification failing using OpenSshCertificateImpl

Cyril Shelke Sat, 18 Jul 2020 22:24:01 -0700

Hello,
I'm trying to authenticate from my client using apache mina - 2.5.1 using
OpenSsh Certificate.
I have a signed Certificate which I parsed using OpenSshCertificateImpl and
created a KeyPair out of it.
However the auth fails with:


2020-07-17 02:11:20.168DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl   :
sendInitialServiceRequest(ClientSessionImpl[break-glass@/192.168.1.6:5022])
Send SSH_MSG_SERVICE_REQUEST for ssh-userauth
2020-07-17 02:11:20.168 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl   :
encode(ClientSessionImpl[break-glass@/192.168.1.6:5022]) packet #3 sending
command=5[SSH_MSG_SERVICE_REQUEST] len=17
2020-07-17 02:11:20.168 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl   :
encode(ClientSessionImpl[break-glass@/192.168.1.6:5022]) packet #4 sending
command=50[SSH_MSG_USERAUTH_REQUEST] len=42
2020-07-17 02:11:20.169 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl   :
handleNewKeys(ClientSessionImpl[break-glass@/192.168.1.6:5022]) sent 1
pending packets
2020-07-17 02:11:20.170 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl   :
handleServiceAccept(ClientSessionImpl[break-glass@/192.168.1.6:5022])
SSH_MSG_SERVICE_ACCEPT service=ssh-userauth
2020-07-17 02:11:20.176 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.c.session.ClientUserAuthService    :
processUserAuth(ClientSessionImpl[break-glass@/192.168.1.6:5022]) Received
SSH_MSG_USERAUTH_FAILURE - partial=false,
methods=publickey,keyboard-interactive
2020-07-17 02:11:20.176 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.c.session.ClientUserAuthService    :
tryNext(ClientSessionImpl[break-glass@/192.168.1.6:5022]) starting
authentication mechanisms: client=[publickey, keyboard-interactive,
password], server=[publickey, keyboard-interactive]

*Logs from the server I'm trying to authenticate:*

sre-bastion-service_1  | debug3: found certificate option "permit-pty" len 0

sre-bastion-service_1  | debug1: cert: key options: pty

sre-bastion-service_1  | debug1: principals: key options: agent-forwarding
port-forwarding pty user-rc x11-forwarding

sre-bastion-service_1  | Accepted certificate ID
"vault-approle-cb8a0183bfb86549cfe4436bb163b52b0102fece03e60ce34a9ef3b03eeb7033"
(serial 5407548119571357136) signed by RSA CA
SHA256:exuOZzvSLJOi9d2qcaaQtigjOI/W1zHcC+b6WN4KxAo via
/etc/ssh/trusted-user-ca-keys.pem

sre-bastion-service_1  | debug3: mm_answer_keyallowed: publickey
authentication: RSA-CERT key is allowed

sre-bastion-service_1  | debug3: mm_request_send entering: type 23

sre-bastion-service_1  | debug3: mm_sshkey_verify entering [preauth]

sre-bastion-service_1  | debug3: mm_request_send entering: type 24 [preauth]

sre-bastion-service_1  | debug3: mm_sshkey_verify: waiting for
MONITOR_ANS_KEYVERIFY [preauth]

sre-bastion-service_1  | debug3: mm_request_receive_expect entering: type
25 [preauth]

sre-bastion-service_1  | debug3: mm_request_receive entering [preauth]

sre-bastion-service_1  | debug3: mm_request_receive entering

sre-bastion-service_1  | debug3: monitor_read: checking request 24

sre-bastion-service_1  | debug3: mm_answer_keyverify: publickey
0x56201808e760 signature unverified

sre-bastion-service_1  | debug1: auth_activate_options: setting new
authentication options

sre-bastion-service_1  | debug3: mm_request_send entering: type 25

sre-bastion-service_1  | Failed publickey for break-glass from 172.21.0.1
port 35872 ssh2: RSA-CERT ID
vault-approle-cb8a0183bfb86549cfe4436bb163b52b0102fece03e60ce34a9ef3b03eeb7033
(serial 5407548119571357136) CA RSA
SHA256:exuOZzvSLJOi9d2qcaaQtigjOI/W1zHcC+b6WN4KxAo

sre-bastion-service_1  | debug2: userauth_pubkey: authenticated 0 pkalg
[email protected] [preauth]

sre-bastion-service_1  | debug3: user_specific_delay: user specific delay
0.000ms [preauth]

sre-bastion-service_1  | debug3: ensure_minimum_time_since: elapsed
1.986ms, delaying 5.660ms (requested 7.646ms) [preauth]

sre-bastion-service_1  | debug3: userauth_finish: failure partial=0 next
methods="publickey,keyboard-interactive" [preauth]

sre-bastion-service_1  | debug3: send packet: type 51 [preauth]

sre-bastion-service_1  | debug3: receive packet: type 50 [preauth]

Here is my code:

/Create the OpenSshCertificate from the signed key from vault
String[] parts = vaultSignedSshResponse.getSignedKey().trim().split("
");  //in the attachment signed-cert.txt
ByteArrayBuffer bab = new ByteArrayBuffer(Base64.getDecoder().decode(parts[1]));
OpenSshCertificateImpl openSshCertificate = (OpenSshCertificateImpl)
bab.getRawPublicKey();

//try login using Client session
Security.addProvider(new BouncyCastleProvider());
KeyPair signedKeyPair = new KeyPair(openSshCertificate, keyPair.getPrivate());
SshClient sshClient = SshClient.setUpDefaultClient();

sshClient.setServerKeyVerifier(AcceptAllServerKeyVerifier.INSTANCE);
sshClient.setHostConfigEntryResolver(HostConfigEntryResolver.EMPTY);
//sshClient.addPublicKeyIdentity(signedKeyPair);
sshClient.start();

try (ClientSession session = sshClient.connect("break-glass", host, 5022)
        .verify(60, TimeUnit.SECONDS)
        .getSession()) {

    session.addPublicKeyIdentity(signedKeyPair);
    session.auth().verify(30, TimeUnit.SECONDS);

    try (ClientChannel channel =
session.createChannel(ClientChannel.CHANNEL_SHELL)) {
        channel.setIn(new NoCloseInputStream(System.in));
        channel.setOut(new NoCloseOutputStream(System.out));
        channel.setErr(new NoCloseOutputStream(System.err));
        channel.open();
        channel.waitFor(Collections.singleton(ClientChannelEvent.CLOSED), 0);
    } finally {
        session.close();
    }
} finally {
    sshClient.stop();
}


I was able to login using sshj library <https://github.com/hierynomus/sshj>
(code below), however we want to use apache-mina for our project.

String[] parts = vaultSignedSshResponse.getSignedKey().trim().split("
");PublicKey signedPublicKey = new
Buffer.PlainBuffer(Base64.getDecoder().decode(parts[1])).readPublicKey();

KeyPair generatedKeyPair = new KeyPair(signedPublicKey,
keyPair.getPrivate());Security.addProvider(new
BouncyCastleProvider());

DefaultConfig defaultConfig = new DefaultConfig();
SSHClient sshClient = new SSHClient(defaultConfig);
String result = "";

sshClient.addHostKeyVerifier(new PromiscuousVerifier());
sshClient.connect(host, 5022);
sshClient.setConnectTimeout(60000);
sshClient.setTimeout(60000);
sshClient.authPublickey("break-glass", sshClient.loadKeys(generatedKeyPair));
Session session = sshClient.startSession();
final Session.Command cmd = session
        .exec("ls /etc/ssh/");
result = new String(IOUtils.readFully(cmd.getInputStream()).toByteArray(),
StandardCharsets.UTF_8);
System.out.println("Result: " + result);
session.close();


Also attaching the signed-cert.txt as it is not a security risk as we're
still doing a POC.
Let me know if I'm doing anything wrong. Any help would be appreciated.
Thank you!


-- 
Thanks and Regards,
Cyril

[email protected] 
AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg10JjXqWoxeMUyik45jr0cIZ/hFmYZQO27ilcjFHDVpgAAAADAQABAAAAgQCbFJRT+YwxvPCuHjWfEzeMs/Xkp6ay/N9J4XgSgHcyB6yeYw0KMW4Rs6OWJZcvj5ejuUonS9Kbwyf0YaylZxlfxt/K06rtHgKjwY3SSAQz4Y6woo4QI+pNP6SciJ/XymnE8+ZC6bJxwF5VtX1ivPn8o5am6LiDUk7kQoPAkBfs5/IE+w5UvO4zAAAAAQAAAE52YXVsdC1hcHByb2xlLWRiZDY5ZGExNmNiOTYwYjRhYTJkMzdlODcwZTA5OTdkN2M3ZjhhMjVlZTcyYmEwNTU0NTQ0NjBmNDA1YWU3ZjIAAAAPAAAAC2JyZWFrLWdsYXNzAAAAAF7B1hkAAAAAXsHdPwAAAAAAAAASAAAACnBlcm1pdC1wdHkAAAAAAAAAAAAAAhcAAAAHc3NoLXJzYQAAAAMBAAEAAAIBAOZSr+o8qpoAxBByB3dB0uRbaP9TMKU7W/j/RTIrVINeMJFzzkrqX6Bwwvn6+cAUjuLMz7L8H9Wqjivp48XWWPyyYbJ64bPdlPFzAzWbdCfY4Nd2akFLDTKqd5i0+iu+06suMEmvKVMQraNvjPccshrtcQYHTB0qmq6G1PjFaUxMeeSdv+U8+AqKIVMcuvnVfidUnaaVXn3ie9R616l3JwtvW/XS1SeAqrMqovvMMmZrIB9Jq9WPyV5hriYeWwFPbZUhsQsSj78IMxLdp0P318+6LUkuLuGZ9QGrQxWeOM2Y1/4PA3CHUBIRiA7+UGafkwn2y3L9XtxHXdQvcotV1zWq805YDw7frQJTXEI028+NPE0sE0aLbNM8/RibXgukiL8nP9M9ZfSlB8tUDO5Kuq5nWEUQ6hODW+RLf3qQFlCCF1mLy4HnwjY70jyLankVThIK2ZMoUqujVlBo5Fh8ptwzQ+VvJ9EUcz9rnoGtP0qIxutcTROKvUMcCKNimu7K+PP5+U6GJK4UbPqJSKGO7z85BBsNoqU50S2DP7lEhqd/9Ty+zXICu/Fjtio2uM4GfFIFChqTR2QuJ25dw9+v9yCVcqwozWeb0MOLm3i/bpxNqbici8ol1ZNBDyoI9gyi3vuxPkzerse7IplqUraINvXXQxrqR7/WNehayruAwYcNAAACDwAAAAdzc2gtcnNhAAACAMoIDDhDC2TCOEYE46tKL/lD4eODb4MxVJBWxBPcdUtDf24L7TuOoeRAoOIpKtv5JKU2du3ElUMnheyX+3IWuh4H8AuHGU4AyFc+cXvyGNAE7mppUb637cPNCOVgfUdImHtPRiP6MdILFeMAHNPpfkh8i+qqszum2QuukexF+7wieuaaOtlBNeuZ0/2oi6I2KGOzEnL54w0PKXgQY2AVWgeOQ2S7c+XFjxI0ospE0XVjut/Kn1VSK3cO3sI4W14gb9agaF/XTUegtrpHuPvW4Q3OQbbGHG9J/8/WGQB/HlexDkXh2GaNupC4+vwXb4//P1OV9bMUYPqMH6j2DAs8cSMdfh14utmmwrIWIgoKD3Htiby6XDkNs0EQdzPHeVgE6wbL0hO2oV3VRgcQ2CUxD+Z8j/S/q/mWS+PrfMkVBTPFojdrmxy0fJeZnkqhqK/N5+zkcP2RCwPiy2DQ/NOSrpJFqwxSctse7kbrwESdtT4cUIuofN1UOceRBhk2DoSJgLag9JflYeWez6rBW7GzJEtTLbObkRGWacWNZsyVHZlQFd1rhA2+6Yn42FFJQm9E6Eh+Higd2u7HmSrAVKiqZuwdGLCuUut+QhHIShBN0WBQAZTKtvv8/IQGk84jHy7UZeVrmNFM57AsSLIw3kTcebrRP+vFLYPun/KzbnTP3yrC

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Key verification failing using OpenSshCertificateImpl

Reply via email to