[ https://issues.apache.org/jira/browse/SSHD-1266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zeljko Vukovic updated SSHD-1266: --------------------------------- Description: If critical options are included OpenSSH certificate can't be read with openssh. In oder to reproduce issue we can use existing test [https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152] but just add critical options {code:java} final OpenSshCertificate signedCert = OpenSshCertificateBuilder.userCertificate() .serial(0L) .publicKey(clientPublicKey) .id("user01") .principals(Collections.singletonList("user01")) .criticalOptions(Arrays.asList( new OpenSshCertificate.CertificateOption("force-command", "wget url"), new OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32"))) .extensions(Arrays.asList( new OpenSshCertificate.CertificateOption("permit-X11-forwarding"), new OpenSshCertificate.CertificateOption("permit-agent-forwarding"), new OpenSshCertificate.CertificateOption("permit-port-forwarding"), new OpenSshCertificate.CertificateOption("permit-pty"), new OpenSshCertificate.CertificateOption("permit-user-rc"))) .sign(caKeypair, signatureAlgorithm); {code} Once we check such certificate we get following error {code:java} > ssh-keygen -L -f /path/to/cert.pub Type: ecdsa-sha2-nistp256-cert-...@openssh.com user certificate Public key: ECDSA-CERT SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw (using ecdsa-sha2-nistp384) Key ID: "user01" Serial: 0 Valid: forever Principals: user01 Critical Options: show_options: buffer error: string is too large {code} and similar for the other cert types(RSA, EC, Ed25519). I was tracing this issue and it looks like related to this code [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840] but was not able to figure out what exactly. [~alex.sher...@gmail.com] / [~twolf] if any hints I am more than open to support and create PR. Interesting is that parsing certificate is working as expected https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L370 even if I create certificate directly with ssh-keygen {code:java} ssh-keygen -t rsa -b 4096 -f user_ca -C user_ca ssh-keygen -f user-key -b 4096 -t rsa ssh-keygen -s user_ca -I certN -n user -O source-address="127.0.0.1/32" -O force-command="wget url" -V +10d user-key.pub {code} This defect is related to the following tickets https://issues.apache.org/jira/browse/SSHD-1166 https://issues.apache.org/jira/browse/SSHD-1161 was: If critical options are included OpenSSH certificate can't be read with openssh. In oder to reproduce issue we can use existing test [https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152] but just add critical options {code:java} final OpenSshCertificate signedCert = OpenSshCertificateBuilder.userCertificate() .serial(0L) .publicKey(clientPublicKey) .id("user01") .principals(Collections.singletonList("user01")) .criticalOptions(Arrays.asList( new OpenSshCertificate.CertificateOption("force-command", "wget url"), new OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32"))) .extensions(Arrays.asList( new OpenSshCertificate.CertificateOption("permit-X11-forwarding"), new OpenSshCertificate.CertificateOption("permit-agent-forwarding"), new OpenSshCertificate.CertificateOption("permit-port-forwarding"), new OpenSshCertificate.CertificateOption("permit-pty"), new OpenSshCertificate.CertificateOption("permit-user-rc"))) .sign(caKeypair, signatureAlgorithm); {code} Once we check such certificate we get following error {code:java} > ssh-keygen -L -f /path/to/cert.pub Type: ecdsa-sha2-nistp256-cert-...@openssh.com user certificate Public key: ECDSA-CERT SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw (using ecdsa-sha2-nistp384) Key ID: "user01" Serial: 0 Valid: forever Principals: user01 Critical Options: show_options: buffer error: string is too large {code} and similar for the other cert types(RSA, EC, Ed25519). I was tracing this issue and it looks like related to this code [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840] but was not able to figure out what exactly. [~alex.sher...@gmail.com] / [~twolf] if any hints I am more than open to support and create PR. This defect is related to the following tickets https://issues.apache.org/jira/browse/SSHD-1166 https://issues.apache.org/jira/browse/SSHD-1161 > OpenSSH certificate is not properly encoded when critical options are included > ------------------------------------------------------------------------------ > > Key: SSHD-1266 > URL: https://issues.apache.org/jira/browse/SSHD-1266 > Project: MINA SSHD > Issue Type: Bug > Affects Versions: 2.8.0 > Reporter: Zeljko Vukovic > Priority: Critical > > If critical options are included OpenSSH certificate can't be read with > openssh. > > In oder to reproduce issue we can use existing test > [https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152] > but just add critical options > > {code:java} > final OpenSshCertificate signedCert = > OpenSshCertificateBuilder.userCertificate() > .serial(0L) > .publicKey(clientPublicKey) > .id("user01") > .principals(Collections.singletonList("user01")) > > .criticalOptions(Arrays.asList( > new > OpenSshCertificate.CertificateOption("force-command", "wget url"), > new > OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32"))) > > .extensions(Arrays.asList( > new > OpenSshCertificate.CertificateOption("permit-X11-forwarding"), > new > OpenSshCertificate.CertificateOption("permit-agent-forwarding"), > new > OpenSshCertificate.CertificateOption("permit-port-forwarding"), > new > OpenSshCertificate.CertificateOption("permit-pty"), > new > OpenSshCertificate.CertificateOption("permit-user-rc"))) > .sign(caKeypair, signatureAlgorithm); {code} > > Once we check such certificate we get following error > {code:java} > > ssh-keygen -L -f /path/to/cert.pub > Type: ecdsa-sha2-nistp256-cert-...@openssh.com user certificate > Public key: ECDSA-CERT > SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U > Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw > (using ecdsa-sha2-nistp384) > Key ID: "user01" > Serial: 0 > Valid: forever > Principals: > user01 > Critical Options: > show_options: buffer error: string is too large {code} > and similar for the other cert types(RSA, EC, Ed25519). > I was tracing this issue and it looks like related to this code > [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840] > but was not able to figure out what exactly. > [~alex.sher...@gmail.com] / [~twolf] if any hints I am more than open to > support and create PR. > > Interesting is that parsing certificate is working as expected > https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L370 > even if I create certificate directly with ssh-keygen > {code:java} > ssh-keygen -t rsa -b 4096 -f user_ca -C user_ca > ssh-keygen -f user-key -b 4096 -t rsa > ssh-keygen -s user_ca -I certN -n user -O source-address="127.0.0.1/32" -O > force-command="wget url" -V +10d user-key.pub {code} > > This defect is related to the following tickets > https://issues.apache.org/jira/browse/SSHD-1166 > https://issues.apache.org/jira/browse/SSHD-1161 > -- This message was sent by Atlassian Jira (v8.20.7#820007) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org