Public bug reported:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream:
Please take a look at line 1936 in main() function in sshd.c.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
the sshkey_equal_public() is trying to compare a cert's pub with a private key,
and it never find a match which makes sshd cannot use this certificate even
though its private key is in ssh-agent.
I believe it should be comparing a cert's public key with a public key in
sensitive_data as follow.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936
Due to this HostCertificate and HostKeyAgent not working together in
sshd and this affects every version of openssh back till Focal, at
least.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
Status in openssh package in Ubuntu:
New
Bug description:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254
upstream:
Please take a look at line 1936 in main() function in sshd.c.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
the sshkey_equal_public() is trying to compare a cert's pub with a private
key, and it never find a match which makes sshd cannot use this certificate
even though its private key is in ssh-agent.
I believe it should be comparing a cert's public key with a public key in
sensitive_data as follow.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936
Due to this HostCertificate and HostKeyAgent not working together in
sshd and this affects every version of openssh back till Focal, at
least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
