[jira] [Created] (SSHD-1266) OpenSSH certificate is not properly encoded when critical options are included

Mon, 09 May 2022 01:41:04 -0700 

Zeljko Vukovic created SSHD-1266:
------------------------------------

             Summary: OpenSSH certificate is not properly encoded when critical 
options are included
                 Key: SSHD-1266
                 URL: https://issues.apache.org/jira/browse/SSHD-1266
             Project: MINA SSHD
          Issue Type: Bug
    Affects Versions: 2.8.0
            Reporter: Zeljko Vukovic


If critical options are included OpenSSH certificate can't be read with openssh.

 

In oder to reproduce issue we can use existing test 
[https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152]
 but just add critical options

 
{code:java}
final OpenSshCertificate signedCert = 
OpenSshCertificateBuilder.userCertificate()                .serial(0L)          
      .publicKey(clientPublicKey)                .id("user01")                
.principals(Collections.singletonList("user01"))                
.criticalOptions(Arrays.asList(                        new 
OpenSshCertificate.CertificateOption("force-command", "wget url"),              
          new OpenSshCertificate.CertificateOption("source-address", 
"127.0.0.1/32")))                .extensions(Arrays.asList(                     
   new OpenSshCertificate.CertificateOption("permit-X11-forwarding"),           
             new 
OpenSshCertificate.CertificateOption("permit-agent-forwarding"),                
        new OpenSshCertificate.CertificateOption("permit-port-forwarding"),     
                   new OpenSshCertificate.CertificateOption("permit-pty"),      
                  new OpenSshCertificate.CertificateOption("permit-user-rc")))  
              .sign(caKeypair, signatureAlgorithm); {code}
 

Once we check such certificate we get following error 
{code:java}
> ssh-keygen -L -f  /path/to/cert.pub 

Type: ecdsa-sha2-nistp256-cert-...@openssh.com user certificate
        Public key: ECDSA-CERT 
SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U
        Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw 
(using ecdsa-sha2-nistp384)
        Key ID: "user01"
        Serial: 0
        Valid: forever
        Principals: 
                user01
        Critical Options: 
show_options: buffer error: string is too large {code}
and similar for the other cert types(RSA, EC, Ed25519).

I was tracing this issue and it looks like related to this code 
[https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840]
 but was not able to figure out what exactly.  

[~alex.sher...@gmail.com] / [~twolf]  if any hints I am more than open to  
support and create PR.

 

This defect is related to the following tickets

https://issues.apache.org/jira/browse/SSHD-1166

https://issues.apache.org/jira/browse/SSHD-1161

 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to