alex-sherwin edited a comment on pull request #119: URL: https://github.com/apache/mina-sshd/pull/119#issuecomment-831957504
Do you know what is missing from this to make client certificates work? I've been hacking away for a few nights to try and figure it out, and it feels like it nearly works if you simply remove the hard-coded check that only allows decoding the host cert variant here https://github.com/apache/mina-sshd/commit/47f779f06cb345c7cb706cb81f1214c37dab1fda#diff-4067485581e7df0fec6ea6f408772edbbcd5eb7a1d9833e5ed9130a1de9015d1R74 Then things nearly "just work", but currently I'm trying to debug the publickey auth process in https://tools.ietf.org/html/rfc4252#section-7 The mina client will send the RSA-CERT in the first SSH_MSG_USERAUTH_REQUEST, and the openssh server accepts it, but the followup SSH_MSG_USERAUTH_REQUEST that includes a signature fails on the openssh server side with ``` debug3: mm_answer_keyverify: publickey 0x7f2e7882b0a0 signature unverified: key type does not match Failed publickey for user01 from 172.17.0.1 port 64500 ssh2: RSA-CERT SHA256:gBrWshYSkWIDTUkeNmUWQaCsyO+NIGVsQljoeL64+bU ID user01 (serial 0) CA RSA SHA256:6vk74tKCkS3WqaeL68mM2TMvnCyaFsqt1ac26fktSqQ ``` It to me looks like the mina client code it doing all the right things (I think), the instructions on https://tools.ietf.org/html/rfc4252#section-7 say that "The 'public key blob' may contain certificates" and the changes in this PR for Buffer encode the client cert into the Buffer when UserAuthPublicKey invokes `buffer.putPublicKey(pubKey)` where pubKey is a `OpenSshCertificateImpl` instance Quick recap: 1. If you disable the hard-coded check that only decodes host certs 2. Quickly hack `KeyUtils.compareKeys(PublicKey, PublicKey)` so that if two `OpenSshCertificate` instances are provided that they are compared 3. Setup a client whose `KeyPair` is an instance of the clients private key and certificate-based public key (the cert-based client pub key is parsed with `PublicKeyEntry.parsePublicKeyEntry(str).resolvePublicKey(null, null, null)` 4. Connect to an OpenSSH server It seems to do all the right things (I think), but something appears to be wrong with the `SSH_MSG_USERAUTH_REQUEST` that contains a signature, and I'm not sure where the right place is to really figure out where this mismatch is. It's worth nothing that if I compare the verbose OpenSSH server-side output when compared with a a OpenSSH client making a successful client-based RSA-CERT connection and mina client, the output is *identical* right up until the error from above: ``` debug3: mm_answer_keyverify: publickey 0x7f2e7882b0a0 signature unverified: key type does not match Failed publickey for user01 from 172.17.0.1 port 64500 ssh2: RSA-CERT SHA256:gBrWshYSkWIDTUkeNmUWQaCsyO+NIGVsQljoeL64+bU ID user01 (serial 0) CA RSA SHA256:6vk74tKCkS3WqaeL68mM2TMvnCyaFsqt1ac26fktSqQ ``` All the displayed public keys and signatures and algorithms displayed in the verbose OpenSSH server-side output are identical up to here If you could provide any guidance on what docs to read or any insights on what the problem may be, that would be great Thanks, -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
