[
https://issues.apache.org/jira/browse/SSHD-1266?focusedWorklogId=769389&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-769389
]
ASF GitHub Bot logged work on SSHD-1266:
----------------------------------------
Author: ASF GitHub Bot
Created on: 12/May/22 02:13
Start Date: 12/May/22 02:13
Worklog Time Spent: 10m
Work Description: alex-sherwin commented on PR #222:
URL: https://github.com/apache/mina-sshd/pull/222#issuecomment-1124459535
@vukzeka I just pushed a commit
https://github.com/alex-sherwin/mina-sshd/commit/f5966b48e3ac2ab375269aae553c765cf62488cf
It shows how to use testcontainers to build an image w/ ssh-keygen and:
1. How you can use **ssh-keygen** to parse/view a OpenSSH Certificate file
and check the exit code
2. How you can use **ssh-keygen** to generate data and copy the contents
back to Java (this one is not really that useful for what we're discussing
here, I just created it to see how it would be done)
This test is *not* using the testcontainers JUnit automatic test lifecycle
stuff (where you define the `GenericContainer` as a class-level property or
static prop with `@ClassRule` annotations to manage the container lifecycle).
This is because all that stuff is geared towards long-running services, etc.
Instead, the unit test itself is defining the docker image + container,
starting it, and using a custom wait strategy (which checks for exit, but does
not assert the exit code itself), so that the unit test function can inspect
the container exit code and logs and apply junit assertions to them.
If you do add a test using this kind of technique, you should probably set
it up to be a parameterized test like **GenerateOpenSSHClientCertificateTest**
with all the cert type variations
Issue Time Tracking
-------------------
Worklog Id: (was: 769389)
Time Spent: 3.5h (was: 3h 20m)
> OpenSSH certificate is not properly encoded when critical options are included
> ------------------------------------------------------------------------------
>
> Key: SSHD-1266
> URL: https://issues.apache.org/jira/browse/SSHD-1266
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.8.0
> Reporter: Zeljko Vukovic
> Priority: Minor
> Time Spent: 3.5h
> Remaining Estimate: 0h
>
> If critical options are included when OpenSSH certificate is created same
> can't be read with OpenSSH.
>
> In oder to reproduce issue we can use existing test
> [https://github.com/apache/mina-sshd/blob/master/sshd-core/src/test/java/org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.java#L152]
> and just add critical options (as in the example bellow)
> {code:java}
> final OpenSshCertificate signedCert =
> OpenSshCertificateBuilder.userCertificate()
> .serial(0L)
> .publicKey(clientPublicKey)
> .id("user01")
> .principals(Collections.singletonList("user01"))
>
> .criticalOptions(Arrays.asList(
> new
> OpenSshCertificate.CertificateOption("force-command", "wget url"),
> new
> OpenSshCertificate.CertificateOption("source-address", "127.0.0.1/32")))
>
> .extensions(Arrays.asList(
> new
> OpenSshCertificate.CertificateOption("permit-X11-forwarding"),
> new
> OpenSshCertificate.CertificateOption("permit-agent-forwarding"),
> new
> OpenSshCertificate.CertificateOption("permit-port-forwarding"),
> new
> OpenSshCertificate.CertificateOption("permit-pty"),
> new
> OpenSshCertificate.CertificateOption("permit-user-rc")))
> .sign(caKeypair, signatureAlgorithm); {code}
>
> Once we check such certificate we get following error
> {code:java}
> > ssh-keygen -L -f /path/to/cert.pub
> Type: [email protected] user certificate
> Public key: ECDSA-CERT
> SHA256:0ITcONLKI/H/FNpXZVZMaEYB0STXD4BQNBkSSuDpk5U
> Signing CA: ECDSA SHA256:KPz5LunqQBL9hWJx5eDk11T16anJCn40d/g480PfuKw
> (using ecdsa-sha2-nistp384)
> Key ID: "user01"
> Serial: 0
> Valid: forever
> Principals:
> user01
> Critical Options:
> show_options: buffer error: string is too large {code}
> and similar for the other cert types(RSA, EC, Ed25519).
> I was tracing this issue and it looks like related to this code
> [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L840]
> but I was not able to figure out what exactly.
>
> Interesting is that parsing certificate is working as expected
> [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L370]
> from code but also even if I create certificate directly with ssh-keygen
> {code:java}
> ssh-keygen -t rsa -b 4096 -f user_ca -C user_ca
> ssh-keygen -f user-key -b 4096 -t rsa
> ssh-keygen -s user_ca -I certN -n user -O source-address="127.0.0.1/32" -O
> force-command="wget url" -V +10d user-key.pub {code}
>
> [[email protected]] / [~twolf] please if any hints what to check(it
> looks to me that there is something wrong with encoding certificate option
> data
> [https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/buffer/Buffer.java#L838-L845]
> , like these tuples should be written somehow differently) I am more than
> open to support and create PR.
> This is working as expected for extensions as these are all empty(do not have
> data) but once we include critical options which have data than there is
> mentioned failure
> ([https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys#L221-L268]
> ).
>
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
