[
https://issues.apache.org/jira/browse/SSHD-1053?focusedWorklogId=483574&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-483574
]
ASF GitHub Bot logged work on SSHD-1053:
----------------------------------------
Author: ASF GitHub Bot
Created on: 12/Sep/20 22:06
Start Date: 12/Sep/20 22:06
Worklog Time Spent: 10m
Work Description: FliegenKLATSCH closed pull request #164:
URL: https://github.com/apache/mina-sshd/pull/164
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 483574)
Time Spent: 3h 40m (was: 3.5h)
> Got "key type does not match" when use OpenSSH client And Mina SSHD
> configured with a host public key cert
> ----------------------------------------------------------------------------------------------------------
>
> Key: SSHD-1053
> URL: https://issues.apache.org/jira/browse/SSHD-1053
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.5.1
> Reporter: Feng Jiajie
> Assignee: Lyor Goldstein
> Priority: Major
> Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub
>
> Time Spent: 3h 40m
> Remaining Estimate: 0h
>
> Hi,
> We configured a Mina SSHD and used server certificates:
> [https://www.lorier.net/docs/ssh-ca.html]
> Mina SSHD:
> {code:java}
> sshd.setKeyPairProvider(new
> BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel")));
> sshd.setHostKeyCertificateProvider(new
> FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub")));
> {code}
> When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina
> SSHD server, the client is reporting an error:
> {code:java}
> debug2: KEX algorithms:
> ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: host key algorithms:
> [email protected],[email protected],[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
> debug2: ciphers stoc:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
> debug2: MACs ctos:
> [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> debug2: MACs stoc:
> [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> debug2: compression ctos: none,zlib,[email protected]
> debug2: compression stoc: none,zlib,[email protected]
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: ecdh-sha2-nistp256
> debug1: kex: host key algorithm: [email protected]
> debug1: kex: server->client cipher: aes128-ctr MAC:
> [email protected] compression: none
> debug1: kex: client->server cipher: aes128-ctr MAC:
> [email protected] compression: none
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: receive packet: type 31
> debug1: Server host certificate: [email protected]
> SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1"
> CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from
> 2020-08-14T12:48:45 to 2030-08-12T12:53:45
> debug2: Server host certificate hostname: 127.0.0.1
> debug2: Server host certificate hostname: localhost
> debug3: put_host_port: [127.0.0.1]:12133
> debug3: put_host_port: [127.0.0.1]:12133
> debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts"
> debug3: record_hostkey: found ca key type RSA in file
> /home/work/.ssh/known_hosts:34
> debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133
> debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host
> certificate.
> debug1: Found CA key in /home/work/.ssh/known_hosts:34
> okok [email protected]
> ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not
> match
> {code}
> After debugging the OpenSSH client, we found that the problem was that:
> [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L270]
> line 270:
> {code:java}
> if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) {
> ret = SSH_ERR_KEY_TYPE_MISMATCH;
> goto out;
> }
> {code}
> `sigtype` value is "[email protected]"
> [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L61]
> line 61:
> {code:java}
> static intrsa_hash_id_from_ident(const char *ident){
> if (strcmp(ident, "ssh-rsa") == 0)
> return SSH_DIGEST_SHA1;
> if (strcmp(ident, "rsa-sha2-256") == 0)
> return SSH_DIGEST_SHA256;
> if (strcmp(ident, "rsa-sha2-512") == 0)
> return SSH_DIGEST_SHA512;
> return -1;
> }
> {code}
> can't find "[email protected]" then return -1
> We found OpenSSH Server signature function may return only the return value
> of the `rsa_hash_alg_ident` function:
> {code:java}
> static const char *rsa_hash_alg_ident(int hash_alg){
> switch (hash_alg) {
> case SSH_DIGEST_SHA1:
> return "ssh-rsa";
> case SSH_DIGEST_SHA256:
> return "rsa-sha2-256";
> case SSH_DIGEST_SHA512:
> return "rsa-sha2-512";
> }
> return NULL;
> }
> {code}
> [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L223]
> So I made a simple patch to handle this situation:
> [https://github.com/apache/mina-sshd/pull/158]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
