Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH agent answers rsa-sha2-256 signing request as ssh-rsa #364

Closed
jpn-e opened this issue Apr 26, 2023 · 1 comment · Fixed by #366
Closed

SSH agent answers rsa-sha2-256 signing request as ssh-rsa #364

jpn-e opened this issue Apr 26, 2023 · 1 comment · Fixed by #366
Assignees
@tomaswolf
Labels
bug An issue describing a bug in the code
Milestone
2.10

Comments

@jpn-e
Copy link

jpn-e commented Apr 26, 2023

Version

2.10.0-SNAPSHOT

Bug description

I'm facing problems using LocalAgentFactory when the other side sends a signing request requesting rsa-sha2-256 as signature algorithm.

Actual behavior

It appears the agent responds as if the request was for ssh-rsa even though rsa-sha2-256 was requested.

Expected behavior

The response should be signed as rsa-sha2-256

Relevant log output

No response

Other information

Trying to narrow down the problem I believe it may be in sshd-core/src/main/java/org/apache/sshd/agent/common/AbstractAgentClient.java.

In handling SshAgentConstants.SSH2_AGENTC_SIGN_REQUEST the flags value is extracted from the request but never used, I believe that the flags should be considered when setting keyType.

I see that AbstractAgentProxy.sign(...) sets flags to 2 for signatureAlgorithm KeyUtils.RSA_SHA256_KEY_TYPE_ALIAS. I expected the opposite needs to be done in AbstractAgentClient, that keyType should be set to RSA_SHA256_KEY_TYPE_ALIAS when the key type is RSA and flags 2.
tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue May 1, 2023
@tomaswolf
apacheGH-364: Use flags for RSA signature requests in AbstractAgentCl…
2236e8b 
…ient

Respect the flags in OpenSSH signing requests. These flags tell what
kind of signature should be produced for an RSA key: ssh-rsa,
rsa-sha2-256, or rsa-sha2-512.

Previous code code only set the flags on the client side, but ignored
them in the server side and thus always answered with a ssh-rsa
signature.

Bug: apache#364
@tomaswolf tomaswolf mentioned this issue May 1, 2023
Merged
@tomaswolf tomaswolf added the bug An issue describing a bug in the code label May 1, 2023
@tomaswolf tomaswolf self-assigned this May 1, 2023
@tomaswolf tomaswolf added this to the 2.10 milestone May 1, 2023
@tomaswolf
Copy link
Member

I expected the opposite needs to be done in AbstractAgentClient

Indeed. Thanks for reporting this problem!

tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue May 2, 2023
@tomaswolf
apacheGH-364: Use flags for RSA signature requests in AbstractAgentCl…
74e8340 
…ient

Respect the flags in OpenSSH signing requests. These flags tell what
kind of signature should be produced for an RSA key: ssh-rsa,
rsa-sha2-256, or rsa-sha2-512.

Previous code only set the flags on the client side, but ignored
them in the server side and thus always answered with an ssh-rsa
signature.

Bug: apache#364
tomaswolf added a commit that referenced this issue May 2, 2023
@tomaswolf
GH-364: Use flags for RSA signature requests in AbstractAgentClient
d4b951a 
Respect the flags in OpenSSH signing requests. These flags tell what
kind of signature should be produced for an RSA key: ssh-rsa,
rsa-sha2-256, or rsa-sha2-512.

Previous code only set the flags on the client side, but ignored
them in the server side and thus always answered with an ssh-rsa
signature.

Bug: #364
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomaswolf tomaswolf

Labels
bug An issue describing a bug in the code
Projects
None yet
Milestone
2.10
Development

Successfully merging a pull request may close this issue.

GH-364: Use flags for RSA signature requests in AbstractAgentClient tomaswolf/mina-sshd
2 participants
@tomaswolf @jpn-e