Re: [I] Supplied key (org.apache.sshd.common.config.keys.OpenSshCertificateImpl) is not a RSAPublicKey instance [mina-sshd]

Wed, 01 Jan 2025 04:41:58 -0800 


tomaswolf commented on issue #650:
URL: https://github.com/apache/mina-sshd/issues/650#issuecomment-2566993238

   The server side of user authentication with OpenSshCertificates was not 
fully implemented, and apparently is lacking tests. 
   
   See issue [SSHD-1161](https://issues.apache.org/jira/browse/SSHD-1161).
   
   The real cause of the problem you encounter is in
   
   
https://github.com/apache/mina-sshd/blob/7b19f6b678a72bb1ac02a8a852ec301d6791024c/sshd-core/src/main/java/org/apache/sshd/server/auth/pubkey/UserAuthPublicKey.java#L95
   
   and
   
   
https://github.com/apache/mina-sshd/blob/7b19f6b678a72bb1ac02a8a852ec301d6791024c/sshd-core/src/main/java/org/apache/sshd/server/auth/pubkey/UserAuthPublicKey.java#L132
   
   If the key is an OpenSshCertificate, `initVerifier` should be called with 
`key.getCertPubKey()`, not with `key`.
   
   So, to answer your questions: it happens because there is a bug. There are 
no dangers to your modification, but it'll work only for RSA keys. The real fix 
has to be in `UserAuthPublicKey` (server side) so that it works for all key 
types. Similar to how it's done in 
https://github.com/apache/mina-sshd/blob/7b19f6b678a72bb1ac02a8a852ec301d6791024c/sshd-core/src/main/java/org/apache/sshd/client/kex/DHGClient.java#L184-L186
 and 
https://github.com/apache/mina-sshd/blob/7b19f6b678a72bb1ac02a8a852ec301d6791024c/sshd-core/src/main/java/org/apache/sshd/client/kex/DHGClient.java#L222
 Plus there needs to be a test for this.
   
   Note that there are other bits of authenticating with a certificate missing 
on the server side: 
https://github.com/apache/mina-sshd/blob/7b19f6b678a72bb1ac02a8a852ec301d6791024c/sshd-core/src/main/java/org/apache/sshd/server/auth/pubkey/UserAuthPublicKey.java#L108-L110
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to