alex-sherwin commented on pull request #119: URL: https://github.com/apache/mina-sshd/pull/119#issuecomment-836101298
I've cleaned up an implementation that works well for all currently supported OpenSSH certificate formats on my fork (diff preview: https://github.com/apache/mina-sshd/compare/master...alex-sherwin:master) I'm currently just using a hacky integration test that tests all valid OpenSSH client cert types against a local OpenSSH sshd daemon (which are all working from MINA ssh client now): * `rsa-sha2-256-cert-...@openssh.com` * `rsa-sha2-512-cert-...@openssh.com` * `ecdsa-sha2-nistp256-cert-...@openssh.com` * `ecdsa-sha2-nistp384-cert-...@openssh.com` * `ecdsa-sha2-nistp521-cert-...@openssh.com` * `ssh-ed25519-cert-...@openssh.com` I'm not testing `ssh-dss-cert-...@openssh.com` since it's not enabled in OpenSSH by default anymore. I added function to `KeyUtils.getCertificateSignatureAlgorithm` which is able to determine the correct value to use for the signature in the signed `SSH_MSG_USERAUTH_REQUEST` buffer for the supported certificate types It also simply removes the host key type check in the OpenSSH certificate decoding, which didn't really need to be there (other then that currently only host certs were supported for any functionality). Perhaps this explicit check should be moved into the code path for the host key usage (but it appears there's already some filtering going on to discover host keys by type, so this check seems superficial) I've love to clean up the rest of this and make a PR, but since all client unit test code I can see uses MINA-based `SshServer` instances to test against, I'm not sure how (in the current unit testing patterns) that this OpenSSH client certificate publickey auth could be covered in unit tests since the MINA sshd server doesn't support OpenSSH client certificates for publickey auth Do you have any suggestion for that? Or will I need to implement the server-side portion of this in tandem for the PR? Thanks, -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
