[Bug 3752] New: ssh agent with host constraints fails creating a signature

Mon, 18 Nov 2024 23:33:01 -0800 

https://bugzilla.mindrot.org/show_bug.cgi?id=3752

            Bug ID: 3752
           Summary: ssh agent with host constraints fails creating a
                    signature
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: [email protected]
          Reporter: [email protected]

Created attachment 3842
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3842&action=edit
It's a patch file; when applied , I can connect using ssh certificates
and host constraints.

Hi,

I've tried using SSH certificates with host constraints in the agent,
however I get the following error:

in ssh:
```
debug1: Server accepts key: thibault@emil ED25519-CERT
SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ agent
debug3: sign_and_send_pubkey: using [email protected]
with ED25519-CERT SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ
debug2: sign_and_send_pubkey: using private key "thibault@emil" from
agent for certificate
debug3: sign_and_send_pubkey: signing using
[email protected]
SHA256:ieHFl8uwTyPo18egdwxbBq+YqmfN6SyE3cE9Hc5ZxiQ
sign_and_send_pubkey: signing failed for ED25519 "thibault@emil" from
agent: agent refused operation
```

in ssh-agent:
```
process_sign_request2: refusing use of destination-constrained key to
sign an unidentified signature
```

There seems to be a mismatch in the keys used for signing. When host
constraints are used, the userauth request is parsed and the key that
should do the signing does not seem to match the key that is referenced
in the message. (see:
https://github.com/openssh/openssh-portable/blob/V_9_9_P1/ssh-agent.c#L876)

I have a patch, but it's applicable on the ssh client instead of the
agent, because it seems to work. See attachments.

If you want to reproduce:
1. Create an agent
2. Have a server that accepts SSH certificates
3. Sign a certificate and add it to the agent with a host constraint
4. Try SSH connection with the server

I am not experienced with the code base and the patch might not be
correct, I thought perhaps it could be useful. If I can help, let me
know.

Kind regards,
Thibault

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Reply via email to