** Description changed: - Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream: + Reported as https://bugzilla.mindrot.org/show_bug.cgi?id=3254 upstream - Please take a look at line 1936 in main() function in sshd.c. + [Impact] + + * HostCertificate and HostKeyAgent are not working together in sshd due + to a mismatched certificate's public key and private key. The function ` `sshkey_equal_public()`` incorrectly compares the certificate's public + key with a private key, never finding a match. The impact is that sshd + cannot use said certificate *even though* its private key is indeed in + ssh-agent. + + * What it should do is compare the certificate's public key with a + public key in `sensitive_data`. + + * Having this SRU-ed is a direct ask from one of the major cloud partners. + They are currently using a customised version of the package to work + around this issue, and we would like them to use a package directly from + our own archive. + + * Looping through sensitive_data.host_pubkeys[j] *instead* of + sensitive_data.host_keys[j] fixes the issue + + [https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936] /* Find matching private key */ - for (j = 0; j < options.num_host_key_files; j++) { - if (sshkey_equal_public(key, - sensitive_data.host_keys[j])) { - sensitive_data.host_certificates[j] = key; - break; - } - } + for (j = 0; j < options.num_host_key_files; j++) { + if (sshkey_equal_public(key, + sensitive_data.host_keys[j])) { + sensitive_data.host_certificates[j] = key; + break; + } + } - the sshkey_equal_public() is trying to compare a cert's pub with a private key, and it never find a match which makes sshd cannot use this certificate even though its private key is in ssh-agent. - I believe it should be comparing a cert's public key with a public key in sensitive_data as follow. + vs. /* Find matching private key */ - for (j = 0; j < options.num_host_key_files; j++) { - if (sshkey_equal_public(key, - sensitive_data.host_pubkeys[j])) { - sensitive_data.host_certificates[j] = key; - break; - } - } + for (j = 0; j < options.num_host_key_files; j++) { + if (sshkey_equal_public(key, + sensitive_data.host_pubkeys[j])) { + sensitive_data.host_certificates[j] = key; + break; + } + } + - https://github.com/openssh/openssh-portable/blob/V_8_4/sshd.c#L1936 + [Test Plan] - Due to this HostCertificate and HostKeyAgent not working together in - sshd and this affects every version of openssh back till Focal, at - least. + * Due to the empirical nature of this bug, the test is quite straight + forward. *Without* the fix, one cannot use certificates to authenticate + successfully (e.g. ``sshd -c /path/to/certificate.pem``) + whereas with the fix (assuming the certificate matches a host key) you + can create a channel. + + [Where problems could occur] + + * This has already been fixed both upstream and in Jammy without issue. + However, if a regression where to happen it would probably be in one of + two ways: + + * A dependency/reverse-dependency issue stemming from the version + bump that will happen if this fix is ported. We mitigate this risk + by testing for these exact types of regression, + and by selecting carefully what to label this new version. + + * Accidentally breaking a set up that was made to work around this + bug in the first place. The risk of this is lower, as the most + likely fix is the one being implemented here anyway. Though + to mitigate this more we can describe exactly what is happening + with the fix in the changelog. + + + This affects every version of openssh back until Focal, at least.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1952421 Title: Issue on sshd finds correct private key for a certificate when using ssh-agent To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1952421/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
