Discussion:
no mutual signature algorithm with RSA user certs client 7.8, server 7.4
Adam Eijdenberg
2018-10-10 06:06:35 UTC
Permalink
Hi,

One of our users who is running an OS (I think it's the latest beta
macOS 10.14.1) with ssh version "OpenSSH_7.8p1, LibreSSL 2.7.3" is
unable to use our user SSH RSA certificates to authenticate to our
servers (which are running "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan
2017").

We see this error on the client side:

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
...
debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key
debug1: send_pubkey_test: no mutual signature algorithm

(So far as I can tell, neither the server nor client are overriding
default algorithms in their respective configurations)

I added some printf debugging to the client to show the values being compared:

debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key
debug1: key_sig_algorithm: cp:
ecdsa-sha2-nistp256-cert-***@openssh.com sshkey_sigalg_by_name(cp):
ecdsa-sha2-nistp256
debug1: key_sig_algorithm: skipping
ecdsa-sha2-nistp256-cert-***@openssh.com due to not matching key->type
debug1: key_sig_algorithm: cp:
ecdsa-sha2-nistp384-cert-***@openssh.com sshkey_sigalg_by_name(cp):
ecdsa-sha2-nistp384
debug1: key_sig_algorithm: skipping
ecdsa-sha2-nistp384-cert-***@openssh.com due to not matching key->type
debug1: key_sig_algorithm: cp:
ecdsa-sha2-nistp521-cert-***@openssh.com sshkey_sigalg_by_name(cp):
ecdsa-sha2-nistp521
debug1: key_sig_algorithm: skipping
ecdsa-sha2-nistp521-cert-***@openssh.com due to not matching key->type
debug1: key_sig_algorithm: cp: ssh-ed25519-cert-***@openssh.com
sshkey_sigalg_by_name(cp): ssh-ed25519
debug1: key_sig_algorithm: skipping ssh-ed25519-cert-***@openssh.com
due to not matching key->type
debug1: key_sig_algorithm: cp: rsa-sha2-512-cert-***@openssh.com
sshkey_sigalg_by_name(cp): ssh-rsa-sha2-512
debug1: match_list: comparing cp: ssh-rsa-sha2-512 against sp: rsa-sha2-256
debug1: match_list: comparing cp: ssh-rsa-sha2-512 against sp: rsa-sha2-512
debug1: key_sig_algorithm: cp: rsa-sha2-256-cert-***@openssh.com
sshkey_sigalg_by_name(cp): ssh-rsa-sha2-256
debug1: match_list: comparing cp: ssh-rsa-sha2-256 against sp: rsa-sha2-256
debug1: match_list: comparing cp: ssh-rsa-sha2-256 against sp: rsa-sha2-512
debug1: key_sig_algorithm: cp: ssh-rsa-cert-***@openssh.com
sshkey_sigalg_by_name(cp): ssh-rsa
debug1: match_list: comparing cp: ssh-rsa against sp: rsa-sha2-256
debug1: match_list: comparing cp: ssh-rsa against sp: rsa-sha2-512
debug1: key_sig_algorithm: cp: ecdsa-sha2-nistp256
sshkey_sigalg_by_name(cp): ecdsa-sha2-nistp256
debug1: key_sig_algorithm: skipping ecdsa-sha2-nistp256 due to not
matching key->type
debug1: key_sig_algorithm: cp: ecdsa-sha2-nistp384
sshkey_sigalg_by_name(cp): ecdsa-sha2-nistp384
debug1: key_sig_algorithm: skipping ecdsa-sha2-nistp384 due to not
matching key->type
debug1: key_sig_algorithm: cp: ecdsa-sha2-nistp521
sshkey_sigalg_by_name(cp): ecdsa-sha2-nistp521
debug1: key_sig_algorithm: skipping ecdsa-sha2-nistp521 due to not
matching key->type
debug1: key_sig_algorithm: cp: ssh-ed25519 sshkey_sigalg_by_name(cp):
ssh-ed25519
debug1: key_sig_algorithm: skipping ssh-ed25519 due to not matching key->type
debug1: key_sig_algorithm: cp: rsa-sha2-512 sshkey_sigalg_by_name(cp):
rsa-sha2-512
debug1: key_sig_algorithm: skipping rsa-sha2-512 due to not matching key->type
debug1: key_sig_algorithm: cp: rsa-sha2-256 sshkey_sigalg_by_name(cp):
rsa-sha2-256
debug1: key_sig_algorithm: skipping rsa-sha2-256 due to not matching key->type
debug1: key_sig_algorithm: cp: ssh-rsa sshkey_sigalg_by_name(cp): ssh-rsa
debug1: key_sig_algorithm: skipping ssh-rsa due to not matching key->type
debug1: send_pubkey_test: no mutual signature algorithm

I think the most relevant few lines is:

debug1: key_sig_algorithm: cp: rsa-sha2-256-cert-***@openssh.com
sshkey_sigalg_by_name(cp): ssh-rsa-sha2-256
debug1: match_list: comparing cp: ssh-rsa-sha2-256 against sp: rsa-sha2-256
debug1: match_list: comparing cp: ssh-rsa-sha2-256 against sp: rsa-sha2-512

It looks like the "ssh-" prefix is returned by sshkey_sigalg_by_name()
which does not match the algorithm identifiers returned by our server.

Any suggestions on how we can configure either our server (7.4) or
preferably client (7.8) to resolve?

Many thanks,

Cheers, Adam
Damien Miller
2018-10-10 23:41:16 UTC
Permalink
Post by Adam Eijdenberg
Hi,
One of our users who is running an OS (I think it's the latest beta
macOS 10.14.1) with ssh version "OpenSSH_7.8p1, LibreSSL 2.7.3" is
unable to use our user SSH RSA certificates to authenticate to our
servers (which are running "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan
2017").
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
...
debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key
debug1: send_pubkey_test: no mutual signature algorithm
That looks like a bug:

diff --git a/sshkey.c b/sshkey.c
index f7c09fb..e602987 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -109,9 +109,9 @@ static const struct keytype keytypes[] = {
{ "ssh-rsa-cert-***@openssh.com", "RSA-CERT", NULL,
KEY_RSA_CERT, 0, 1, 0 },
{ "rsa-sha2-256-cert-***@openssh.com", "RSA-CERT",
- "ssh-rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
+ "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
{ "rsa-sha2-512-cert-***@openssh.com", "RSA-CERT",
- "ssh-rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
+ "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
{ "ssh-dss-cert-***@openssh.com", "DSA-CERT", NULL,
KEY_DSA_CERT, 0, 1, 0 },
{ "ecdsa-sha2-nistp256-cert-***@openssh.com", "ECDSA-CERT", NULL,
Adam Eijdenberg
2018-10-11 00:44:22 UTC
Permalink
Post by Damien Miller
Post by Adam Eijdenberg
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
...
debug1: Offering public key: RSA-CERT SHA256:xxx /path/to/key
debug1: send_pubkey_test: no mutual signature algorithm
diff --git a/sshkey.c b/sshkey.c
index f7c09fb..e602987 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -109,9 +109,9 @@ static const struct keytype keytypes[] = {
KEY_RSA_CERT, 0, 1, 0 },
- "ssh-rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
+ "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
- "ssh-rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
+ "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
KEY_DSA_CERT, 0, 1, 0 },
Thanks for looking into. I wasn't able to get the patch to apply
cleanly to the portable source for whatever reason, so I manually made
the changes and got a little further. I now get past the "no mutual
signature algorithm" client message, and get an error on the server
side (OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017):

userauth_pubkey: unsupported public key algorithm:
rsa-sha2-512-cert-***@openssh.com [preauth]

Along the way I noticed that there seems to be duplicated entries in
the keytypes[] array - is this intentional? ie the following 2
contiguous sections appear to be identical. I ended up changing both
on my client to remove the "ssh-" prefix:

https://github.com/openssh/openssh-portable/blob/V_7_8_P1/sshkey.c#L116-L123
https://github.com/openssh/openssh-portable/blob/V_7_8_P1/sshkey.c#L124-L131
Damien Miller
2018-10-11 01:04:01 UTC
Permalink
Post by Adam Eijdenberg
Thanks for looking into. I wasn't able to get the patch to apply
cleanly to the portable source for whatever reason, so I manually made
the changes and got a little further. I now get past the "no mutual
signature algorithm" client message, and get an error on the server
Could you sent me a debug trace from the client for this? We shouldn't
send this algorithm name unless the server supports it.
Post by Adam Eijdenberg
Along the way I noticed that there seems to be duplicated entries in
the keytypes[] array - is this intentional? ie the following 2
contiguous sections appear to be identical. I ended up changing both
https://github.com/openssh/openssh-portable/blob/V_7_8_P1/sshkey.c#L116-L123
https://github.com/openssh/openssh-portable/blob/V_7_8_P1/sshkey.c#L124-L131
Thanks, I've committed a fix for this.

-d
Damien Miller
2018-10-11 01:13:44 UTC
Permalink
Post by Damien Miller
Post by Adam Eijdenberg
Thanks for looking into. I wasn't able to get the patch to apply
cleanly to the portable source for whatever reason, so I manually made
the changes and got a little further. I now get past the "no mutual
signature algorithm" client message, and get an error on the server
Could you sent me a debug trace from the client for this? We shouldn't
send this algorithm name unless the server supports it.
Could you try this?

diff --git a/sshconnect2.c b/sshconnect2.c
index f104408..1d2906f 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
* newer (SHA2) algorithms.
*/
if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
- (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) {
+ (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
+ (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
/* Filter base key signature alg against our configuration */
return match_list(sshkey_ssh_name(key),
options.pubkey_key_types, NULL);
Adam Eijdenberg
2018-10-11 01:18:28 UTC
Permalink
Post by Damien Miller
Could you try this?
diff --git a/sshconnect2.c b/sshconnect2.c
index f104408..1d2906f 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
* newer (SHA2) algorithms.
*/
if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
- (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) {
+ (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
+ (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
/* Filter base key signature alg against our configuration */
return match_list(sshkey_ssh_name(key),
options.pubkey_key_types, NULL);
That fixes it for me, thank you. Would you still like a copy of the
previous failing client trace?
Damien Miller
2018-10-11 01:19:48 UTC
Permalink
Post by Adam Eijdenberg
Post by Damien Miller
Could you try this?
diff --git a/sshconnect2.c b/sshconnect2.c
index f104408..1d2906f 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
* newer (SHA2) algorithms.
*/
if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
- (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) {
+ (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
+ (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
/* Filter base key signature alg against our configuration */
return match_list(sshkey_ssh_name(key),
options.pubkey_key_types, NULL);
That fixes it for me, thank you. Would you still like a copy of the
previous failing client trace?
No, I think I figured it out :)
Adam Eijdenberg
2018-10-11 01:45:40 UTC
Permalink
Post by Damien Miller
No, I think I figured it out :)
Thanks again for your help. I think there are still 2 more sets of
duplicated lines that can go. ie I think we can delete:

diff --git a/sshkey.c b/sshkey.c
index 21e61a2c..6555c5ef 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -124,10 +124,6 @@ static const struct keytype keytypes[] = {
"rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
{ "ssh-dss-cert-***@openssh.com", "DSA-CERT", NULL,
KEY_DSA_CERT, 0, 1, 0 },
- { "ssh-rsa-cert-***@openssh.com", "RSA-CERT", NULL,
- KEY_RSA_CERT, 0, 1, 0 },
- { "ssh-dss-cert-***@openssh.com", "DSA-CERT", NULL,
- KEY_DSA_CERT, 0, 1, 0 },
# ifdef OPENSSL_HAS_ECC
{ "ecdsa-sha2-nistp256-cert-***@openssh.com", "ECDSA-CERT", NULL,
KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
Damien Miller
2018-10-11 02:02:46 UTC
Permalink
applied - thanks
Post by Adam Eijdenberg
Post by Damien Miller
No, I think I figured it out :)
Thanks again for your help. I think there are still 2 more sets of
diff --git a/sshkey.c b/sshkey.c
index 21e61a2c..6555c5ef 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -124,10 +124,6 @@ static const struct keytype keytypes[] = {
"rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
KEY_DSA_CERT, 0, 1, 0 },
- KEY_RSA_CERT, 0, 1, 0 },
- KEY_DSA_CERT, 0, 1, 0 },
# ifdef OPENSSL_HAS_ECC
KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
Damien Miller
2018-10-11 04:06:53 UTC
Permalink
Post by Adam Eijdenberg
Post by Damien Miller
Could you try this?
diff --git a/sshconnect2.c b/sshconnect2.c
index f104408..1d2906f 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1080,7 +1080,8 @@ key_sig_algorithm(struct ssh *ssh, const struct sshkey *key)
* newer (SHA2) algorithms.
*/
if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
- (key->type != KEY_RSA && key->type != KEY_RSA_CERT)) {
+ (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
+ (key->type == KEY_RSA_CERT && (datafellows & SSH_BUG_SIGTYPE))) {
/* Filter base key signature alg against our configuration */
return match_list(sshkey_ssh_name(key),
options.pubkey_key_types, NULL);
That fixes it for me, thank you. Would you still like a copy of the
previous failing client trace?
That fix is committed and will be in the OpenSSH 7.9 release.

Thanks for catching those two bugs in time!

-d

Loading...