Public bug reported:
Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream:
Please take a look at line 1936 in main() function in sshd.c.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_keys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
the sshkey_equal_public() is trying to compare a cert's pub with a private key,
and it never find a match which makes sshd cannot use this certificate even
though its private key is in ssh-agent.
I believe it should be comparing a cert's public key with a public key in
sensitive_data as follow.
/* Find matching private key */
for (j = 0; j < options.num_host_key_files; j++) {
if (sshkey_equal_public(key,
sensitive_data.host_pubkeys[j])) {
sensitive_data.host_certificates[j] = key;
break;
}
}
https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936
Due to this HostCertificate and HostKeyAgent not working together in
sshd and this affects every version of openssh back till Focal, at
least.
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1952421
Title:
Issue on sshd finds correct private key for a certificate when using
ssh-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
