You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/09/09 18:33:00 UTC

[jira] [Work logged] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert

     [ https://issues.apache.org/jira/browse/SSHD-1053?focusedWorklogId=480981&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-480981 ]

ASF GitHub Bot logged work on SSHD-1053:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/Sep/20 18:32
            Start Date: 09/Sep/20 18:32
    Worklog Time Spent: 10m 
      Work Description: FliegenKLATSCH opened a new pull request #164:
URL: https://github.com/apache/mina-sshd/pull/164


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 480981)
    Time Spent: 1.5h  (was: 1h 20m)

> Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: SSHD-1053
>                 URL: https://issues.apache.org/jira/browse/SSHD-1053
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.5.1
>            Reporter: Feng Jiajie
>            Priority: Major
>         Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub
>
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Hi,
> We configured a Mina SSHD and used server certificates:
>  [https://www.lorier.net/docs/ssh-ca.html]
> Mina SSHD:
> {code:java}
> sshd.setKeyPairProvider(new BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel")));
> sshd.setHostKeyCertificateProvider(new FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub")));
> {code}
> When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina SSHD server, the client is reporting an error:
> {code:java}
> debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
> debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
> debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> debug2: compression ctos: none,zlib,zlib@openssh.com
> debug2: compression stoc: none,zlib,zlib@openssh.com
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: ecdh-sha2-nistp256
> debug1: kex: host key algorithm: rsa-sha2-512-cert-v01@openssh.com
> debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
> debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: receive packet: type 31
> debug1: Server host certificate: ssh-rsa-cert-v01@openssh.com SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from 2020-08-14T12:48:45 to 2030-08-12T12:53:45
> debug2: Server host certificate hostname: 127.0.0.1
> debug2: Server host certificate hostname: localhost
> debug3: put_host_port: [127.0.0.1]:12133
> debug3: put_host_port: [127.0.0.1]:12133
> debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts"
> debug3: record_hostkey: found ca key type RSA in file /home/work/.ssh/known_hosts:34
> debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133
> debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host certificate.
> debug1: Found CA key in /home/work/.ssh/known_hosts:34
> okok rsa-sha2-512-cert-v01@openssh.com
> ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not match
> {code}
> After debugging the OpenSSH client, we found that the problem was that:
> [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L270]
>  line 270: 
> {code:java}
> if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) {
>   ret = SSH_ERR_KEY_TYPE_MISMATCH;
>   goto out;
> }
> {code}
> `sigtype` value is "rsa-sha2-512-cert-v01@openssh.com"
> [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L61]
>  line 61: 
> {code:java}
> static intrsa_hash_id_from_ident(const char *ident){
>   if (strcmp(ident, "ssh-rsa") == 0)
>     return SSH_DIGEST_SHA1;	
>   if (strcmp(ident, "rsa-sha2-256") == 0)	
>     return SSH_DIGEST_SHA256;
>   if (strcmp(ident, "rsa-sha2-512") == 0)
>     return SSH_DIGEST_SHA512;
>   return -1;
> }
> {code}
> can't find "rsa-sha2-512-cert-v01@openssh.com" then return -1
> We found OpenSSH Server signature function may return only the return value of the `rsa_hash_alg_ident` function:
> {code:java}
> static const char *rsa_hash_alg_ident(int hash_alg){
>   switch (hash_alg) {
>     case SSH_DIGEST_SHA1:
>       return "ssh-rsa";
>     case SSH_DIGEST_SHA256:
>       return "rsa-sha2-256";
>     case SSH_DIGEST_SHA512:
>       return "rsa-sha2-512";
>   }
>   return NULL;
> }
> {code}
> [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L223]
> So I made a simple patch to handle this situation:
> [https://github.com/apache/mina-sshd/pull/158]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org