[
https://issues.apache.org/jira/browse/SSHD-1266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zeljko Vukovic updated SSHD-1266:
---------------------------------
Description:
If critical options are included OpenSSH certificate can't be read with openssh.
In oder to reproduce issue we can use existing test
[https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152]
but just add critical options
{code:java}
final OpenSshCertificate signedCert =
OpenSshCertificateBuilder.userCertificate()
.serial(0L)
.publicKey(clientPublicKey)
.id("user01")
.principals(Collections.singletonList("user01"))
.criticalOptions(Arrays.asList(
new
OpenSshCertificate.CertificateOption("force-command", "wget url"),
new
OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32")))
.extensions(Arrays.asList(
new
OpenSshCertificate.CertificateOption("permit-X11-forwarding"),
new
OpenSshCertificate.CertificateOption("permit-agent-forwarding"),
new
OpenSshCertificate.CertificateOption("permit-port-forwarding"),
new OpenSshCertificate.CertificateOption("permit-pty"),
new
OpenSshCertificate.CertificateOption("permit-user-rc")))
.sign(caKeypair, signatureAlgorithm); {code}
Once we check such certificate we get following error
{code:java}
> ssh-keygen -L -f /path/to/cert.pub
Type: ecdsa-sha2-nistp256-cert-...@openssh.com user certificate
Public key: ECDSA-CERT
SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U
Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw
(using ecdsa-sha2-nistp384)
Key ID: "user01"
Serial: 0
Valid: forever
Principals:
user01
Critical Options:
show_options: buffer error: string is too large {code}
and similar for the other cert types(RSA, EC, Ed25519).
I was tracing this issue and it looks like related to this code
[https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840]
but was not able to figure out what exactly.
[~alex.sher...@gmail.com] / [~twolf] if any hints I am more than open to
support and create PR.
Interesting is that parsing certificate is working as expected
https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L370
even if I create certificate directly with ssh-keygen
{code:java}
ssh-keygen -t rsa -b 4096 -f user_ca -C user_ca
ssh-keygen -f user-key -b 4096 -t rsa
ssh-keygen -s user_ca -I certN -n user -O source-address="127.0.0.1/32" -O
force-command="wget url" -V +10d user-key.pub {code}
This defect is related to the following tickets
https://issues.apache.org/jira/browse/SSHD-1166
https://issues.apache.org/jira/browse/SSHD-1161
was:
If critical options are included OpenSSH certificate can't be read with openssh.
In oder to reproduce issue we can use existing test
[https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152]
but just add critical options
{code:java}
final OpenSshCertificate signedCert =
OpenSshCertificateBuilder.userCertificate() .serial(0L)
.publicKey(clientPublicKey) .id("user01")
.principals(Collections.singletonList("user01"))
.criticalOptions(Arrays.asList( new
OpenSshCertificate.CertificateOption("force-command", "wget url"),
new OpenSshCertificate.CertificateOption("source-address",
"127.0.0.1/32"))) .extensions(Arrays.asList(
new OpenSshCertificate.CertificateOption("permit-X11-forwarding"),
new
OpenSshCertificate.CertificateOption("permit-agent-forwarding"),
new OpenSshCertificate.CertificateOption("permit-port-forwarding"),
new OpenSshCertificate.CertificateOption("permit-pty"),
new OpenSshCertificate.CertificateOption("permit-user-rc")))
.sign(caKeypair, signatureAlgorithm); {code}
Once we check such certificate we get following error
{code:java}
> ssh-keygen -L -f /path/to/cert.pub
Type: ecdsa-sha2-nistp256-cert-...@openssh.com user certificate
Public key: ECDSA-CERT
SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U
Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw
(using ecdsa-sha2-nistp384)
Key ID: "user01"
Serial: 0
Valid: forever
Principals:
user01
Critical Options:
show_options: buffer error: string is too large {code}
and similar for the other cert types(RSA, EC, Ed25519).
I was tracing this issue and it looks like related to this code
[https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840]
but was not able to figure out what exactly.
[~alex.sher...@gmail.com] / [~twolf] if any hints I am more than open to
support and create PR.
This defect is related to the following tickets
https://issues.apache.org/jira/browse/SSHD-1166
https://issues.apache.org/jira/browse/SSHD-1161
> OpenSSH certificate is not properly encoded when critical options are included
> ------------------------------------------------------------------------------
>
> Key: SSHD-1266
> URL: https://issues.apache.org/jira/browse/SSHD-1266
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.8.0
> Reporter: Zeljko Vukovic
> Priority: Critical
>
> If critical options are included OpenSSH certificate can't be read with
> openssh.
>
> In oder to reproduce issue we can use existing test
> [https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152]
> but just add critical options
>
> {code:java}
> final OpenSshCertificate signedCert =
> OpenSshCertificateBuilder.userCertificate()
> .serial(0L)
> .publicKey(clientPublicKey)
> .id("user01")
> .principals(Collections.singletonList("user01"))
>
> .criticalOptions(Arrays.asList(
> new
> OpenSshCertificate.CertificateOption("force-command", "wget url"),
> new
> OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32")))
>
> .extensions(Arrays.asList(
> new
> OpenSshCertificate.CertificateOption("permit-X11-forwarding"),
> new
> OpenSshCertificate.CertificateOption("permit-agent-forwarding"),
> new
> OpenSshCertificate.CertificateOption("permit-port-forwarding"),
> new
> OpenSshCertificate.CertificateOption("permit-pty"),
> new
> OpenSshCertificate.CertificateOption("permit-user-rc")))
> .sign(caKeypair, signatureAlgorithm); {code}
>
> Once we check such certificate we get following error
> {code:java}
> > ssh-keygen -L -f /path/to/cert.pub
> Type: ecdsa-sha2-nistp256-cert-...@openssh.com user certificate
> Public key: ECDSA-CERT
> SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U
> Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw
> (using ecdsa-sha2-nistp384)
> Key ID: "user01"
> Serial: 0
> Valid: forever
> Principals:
> user01
> Critical Options:
> show_options: buffer error: string is too large {code}
> and similar for the other cert types(RSA, EC, Ed25519).
> I was tracing this issue and it looks like related to this code
> [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840]
> but was not able to figure out what exactly.
> [~alex.sher...@gmail.com] / [~twolf] if any hints I am more than open to
> support and create PR.
>
> Interesting is that parsing certificate is working as expected
> https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L370
> even if I create certificate directly with ssh-keygen
> {code:java}
> ssh-keygen -t rsa -b 4096 -f user_ca -C user_ca
> ssh-keygen -f user-key -b 4096 -t rsa
> ssh-keygen -s user_ca -I certN -n user -O source-address="127.0.0.1/32" -O
> force-command="wget url" -V +10d user-key.pub {code}
>
> This defect is related to the following tickets
> https://issues.apache.org/jira/browse/SSHD-1166
> https://issues.apache.org/jira/browse/SSHD-1161
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
