You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Feng Jiajie (Jira)" <ji...@apache.org> on 2020/08/14 15:08:00 UTC
[jira] [Comment Edited] (SSHD-1053) Got "key type does not match"
when use OpenSSH client And Mina SSHD configured with a host public key
cert
[ https://issues.apache.org/jira/browse/SSHD-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17177818#comment-17177818 ]
Feng Jiajie edited comment on SSHD-1053 at 8/14/20, 3:07 PM:
-------------------------------------------------------------
on CentOS 7 server:
{code:java}
mkdir ~/codelab
cd ~/codelab{code}
h2. step 1. Create CA key
{code:java}
ssh-keygen -f ca{code}
h2. step 2. Create Host Key
{code:java}
ssh-keygen -f myhost{code}
h2. step 3. Sign Host Key Using CA Key
{code:java}
ssh-keygen -s ca -I mytestcert -h -n "127.0.0.1,localhost,10.120.32.74" -V -5m:+3650d myhost{code}
* -s: CA key file path
* -I: cert name
* -h: this is a host key
* -n: all host name for connect, just like HTTPS cert common name
* -V: cert validity range, 3650 days
* myhost: host key path from step 2
{code:java}
[work@debugboxcreate2845x1 codelab]$ ssh-keygen -s ca -I mytestcert -h -n "127.0.0.1,localhost,10.120.32.74" -V -5m:+3650d myhost
Signed host key myhost-cert.pub: id "mytestcert" serial 0 for 127.0.0.1,localhost,10.120.32.74 valid from 2020-08-14T22:08:07 to 2030-08-12T22:13:07
[work@debugboxcreate2845x1 codelab]$ ll
total 20
-rw------- 1 work work 1679 Aug 14 22:06 ca
-rw-r--r-- 1 work work 407 Aug 14 22:06 ca.pub
-rw------- 1 work work 1675 Aug 14 22:08 myhost
-rw-r--r-- 1 work work 1384 Aug 14 22:13 myhost-cert.pub
-rw-r--r-- 1 work work 407 Aug 14 22:08 myhost.pub
[work@debugboxcreate2845x1 codelab]$ ssh-keygen -L -f myhost-cert.pub
myhost-cert.pub:
Type: ssh-rsa-cert-v01@openssh.com host certificate
Public key: RSA-CERT SHA256:oaZ3flir1EB6DnkpJiZpJgGKFQFFiqRc9Tm5x4QuExQ
Signing CA: RSA SHA256:9yner89PphI7gTHrPJXYVM7Nis/jzN5/D31WDNQ6Gc0
Key ID: "mytestcert"
Serial: 0
Valid: from 2020-08-14T22:08:07 to 2030-08-12T22:13:07
Principals:
127.0.0.1
localhost
10.120.32.74
Critical Options: (none)
Extensions: (none)
[work@debugboxcreate2845x1 codelab]${code}
h2. step 4. Configure OpenSSH sshd
first backup /etc/ssh/sshd_config
{code:java}
vim /etc/ssh/sshd_config{code}
comment all HostKey and add new HostKey and cert:
{code:java}
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /home/work/codelab/myhost
HostCertificate /home/work/codelab/myhost-cert.pub{code}
and then restart sshd service:
{code:java}
service sshd restart{code}
step5. Test host verify
remove host key from *~/.ssh/known_hosts*
{code:java}
[work@debugboxcreate2845x1 ~]$ ssh root@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is SHA256:oaZ3flir1EB6DnkpJiZpJgGKFQFFiqRc9Tm5x4QuExQ.
RSA key fingerprint is MD5:9a:89:9a:23:8a:61:28:f2:e9:d3:84:41:33:8e:56:41.
Are you sure you want to continue connecting (yes/no)? no{code}
then add ca public key(not host public key) into ~/.ssh/known_hosts. like:
{code:java}
@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPsJociDCipokcLpyYJ4PB4nkGdBKaiZvuQoxB+fLUjecie2o8kXq0iVnFiEKaBqFQIxguXPZ/W8wrqWAvlp3PhwWLt/qFsF6ssST8rzrDhwhWuEEGyDv/pBa2Pdm9Q9eI49vXn1PPJJ7NBwKxLw0KEkYtMfTWnJy/ZV3+T92SRZMPJU+dl07ZkSKPq088j47mIa1mdBHWHYy429sRRvIXri4sWPNBGMQW1L6repzrQZDUl7quTA4nIEugZMl1y+vk/j8b12fohf+TD5hGufIMmFPMbdivhKkylo9fuRBW9AGW1aIpxKYsyxcFb8TOJIJuZKAY8P/c5dCMrkIzfW8b work@debugboxcreate2845x1{code}
then try ssh:
{code:java}
[work@debugboxcreate2845x1 ~]$ ssh root@127.0.0.1
root@127.0.0.1's password:{code}
ssh client trust Host Key because of trust the CA
For Mina SSHD server, use the same file:
{code:java}
sshd.setKeyPairProvider(new BouncyCastleGeneratorHostKeyProvider(Paths.get("/home/work/codelab/myhost")));
sshd.setHostKeyCertificateProvider(new FileHostKeyCertificateProvider(Paths.get("/home/work/codelab/myhost-cert.pub")));{code}
By the way, CentOS 7 default OpenSSH version is 7.4, and using 7.4 OpenSSH client, error doesn't occur, maybe cause
"rsa-sha2-512-cert-v01@openssh.com" hasn't been supported in 7.4
[https://github.com/openssh/openssh-portable/commit/4ba0d54794814ec0de1ec87987d0c3b89379b436]
I first met the error on macOS with OpenSSH 7.9, then I build a latest OpenSSH 8.3 on CentOS 7 and reproduce the problem.
was (Author: fengjiajie):
on CentOS 7 server:
{code:java}
mkdir ~/codelab
cd ~/codelab{code}
h2. step 1. Create CA key
{code:java}
ssh-keygen -f ca{code}
h2. step 2. Create Host Key
{code:java}
ssh-keygen -f myhost{code}
h2. step 3. Sign Host Key Using CA Key
{code:java}
ssh-keygen -s ca -I mytestcert -h -n "127.0.0.1,localhost,10.120.32.74" -V -5m:+3650d myhost{code}
* -s: CA key file path
* -I: cert name
* -h: this is a host key
* -n: all host name for connect, just like HTTPS cert common name
* -V: cert validity range, 3650 days
* myhost: host key path from step 2
{code:java}
[work@debugboxcreate2845x1 codelab]$ ssh-keygen -s ca -I mytestcert -h -n "127.0.0.1,localhost,10.120.32.74" -V -5m:+3650d myhost
Signed host key myhost-cert.pub: id "mytestcert" serial 0 for 127.0.0.1,localhost,10.120.32.74 valid from 2020-08-14T22:08:07 to 2030-08-12T22:13:07
[work@debugboxcreate2845x1 codelab]$ ll
total 20
-rw------- 1 work work 1679 Aug 14 22:06 ca
-rw-r--r-- 1 work work 407 Aug 14 22:06 ca.pub
-rw------- 1 work work 1675 Aug 14 22:08 myhost
-rw-r--r-- 1 work work 1384 Aug 14 22:13 myhost-cert.pub
-rw-r--r-- 1 work work 407 Aug 14 22:08 myhost.pub
[work@debugboxcreate2845x1 codelab]$ ssh-keygen -L -f myhost-cert.pub
myhost-cert.pub:
Type: ssh-rsa-cert-v01@openssh.com host certificate
Public key: RSA-CERT SHA256:oaZ3flir1EB6DnkpJiZpJgGKFQFFiqRc9Tm5x4QuExQ
Signing CA: RSA SHA256:9yner89PphI7gTHrPJXYVM7Nis/jzN5/D31WDNQ6Gc0
Key ID: "mytestcert"
Serial: 0
Valid: from 2020-08-14T22:08:07 to 2030-08-12T22:13:07
Principals:
127.0.0.1
localhost
10.120.32.74
Critical Options: (none)
Extensions: (none)
[work@debugboxcreate2845x1 codelab]${code}
h2. step 4. Configure OpenSSH sshd
*first backup /etc/ssh/sshd_config*
{code:java}
vim /etc/ssh/sshd_config{code}
comment all HostKey and add new HostKey and cert:
{code:java}
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /home/work/codelab/myhost
HostCertificate /home/work/codelab/myhost-cert.pub{code}
and then restart sshd service:
{code:java}
service sshd restart{code}
step5. Test host verify
remove host key from *~/.ssh/known_hosts*
{code:java}
[work@debugboxcreate2845x1 ~]$ ssh root@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is SHA256:oaZ3flir1EB6DnkpJiZpJgGKFQFFiqRc9Tm5x4QuExQ.
RSA key fingerprint is MD5:9a:89:9a:23:8a:61:28:f2:e9:d3:84:41:33:8e:56:41.
Are you sure you want to continue connecting (yes/no)? no{code}
then add ca public key(not host public key) into ~/.ssh/known_hosts. like:
{code:java}
@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPsJociDCipokcLpyYJ4PB4nkGdBKaiZvuQoxB+fLUjecie2o8kXq0iVnFiEKaBqFQIxguXPZ/W8wrqWAvlp3PhwWLt/qFsF6ssST8rzrDhwhWuEEGyDv/pBa2Pdm9Q9eI49vXn1PPJJ7NBwKxLw0KEkYtMfTWnJy/ZV3+T92SRZMPJU+dl07ZkSKPq088j47mIa1mdBHWHYy429sRRvIXri4sWPNBGMQW1L6repzrQZDUl7quTA4nIEugZMl1y+vk/j8b12fohf+TD5hGufIMmFPMbdivhKkylo9fuRBW9AGW1aIpxKYsyxcFb8TOJIJuZKAY8P/c5dCMrkIzfW8b work@debugboxcreate2845x1{code}
then try ssh:
{code:java}
[work@debugboxcreate2845x1 ~]$ ssh root@127.0.0.1
root@127.0.0.1's password:{code}
ssh client trust Host Key because of trust the CA
For Mina SSHD server, use the same file:
{code:java}
sshd.setKeyPairProvider(new BouncyCastleGeneratorHostKeyProvider(Paths.get("/home/work/codelab/myhost")));
sshd.setHostKeyCertificateProvider(new FileHostKeyCertificateProvider(Paths.get("/home/work/codelab/myhost-cert.pub")));{code}
By the way, CentOS 7 default OpenSSH version is 7.4, and using 7.4 OpenSSH client, error doesn't occur, maybe cause
"rsa-sha2-512-cert-v01@openssh.com" hasn't been supported in 7.4
https://github.com/openssh/openssh-portable/commit/4ba0d54794814ec0de1ec87987d0c3b89379b436
I first met the error on macOS with OpenSSH 7.9, then I build a latest OpenSSH 8.3 on CentOS 7 and reproduce the problem.
> Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
> ----------------------------------------------------------------------------------------------------------
>
> Key: SSHD-1053
> URL: https://issues.apache.org/jira/browse/SSHD-1053
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.5.1
> Reporter: Feng Jiajie
> Assignee: Lyor Goldstein
> Priority: Major
> Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Hi,
> We configured a Mina SSHD and used server certificates:
> [https://www.lorier.net/docs/ssh-ca.html]
> Mina SSHD:
> {code:java}
> sshd.setKeyPairProvider(new BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel")));
> sshd.setHostKeyCertificateProvider(new FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub")));
> {code}
> When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina SSHD server, the client is reporting an error:
> {code:java}
> debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
> debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
> debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> debug2: compression ctos: none,zlib,zlib@openssh.com
> debug2: compression stoc: none,zlib,zlib@openssh.com
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: ecdh-sha2-nistp256
> debug1: kex: host key algorithm: rsa-sha2-512-cert-v01@openssh.com
> debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
> debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: receive packet: type 31
> debug1: Server host certificate: ssh-rsa-cert-v01@openssh.com SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from 2020-08-14T12:48:45 to 2030-08-12T12:53:45
> debug2: Server host certificate hostname: 127.0.0.1
> debug2: Server host certificate hostname: localhost
> debug3: put_host_port: [127.0.0.1]:12133
> debug3: put_host_port: [127.0.0.1]:12133
> debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts"
> debug3: record_hostkey: found ca key type RSA in file /home/work/.ssh/known_hosts:34
> debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133
> debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host certificate.
> debug1: Found CA key in /home/work/.ssh/known_hosts:34
> okok rsa-sha2-512-cert-v01@openssh.com
> ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not match
> {code}
> After debugging the OpenSSH client, we found that the problem was that:
> [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L270]
> line 270:
> {code:java}
> if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) {
> ret = SSH_ERR_KEY_TYPE_MISMATCH;
> goto out;
> }
> {code}
> `sigtype` value is "rsa-sha2-512-cert-v01@openssh.com"
> [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L61]
> line 61:
> {code:java}
> static intrsa_hash_id_from_ident(const char *ident){
> if (strcmp(ident, "ssh-rsa") == 0)
> return SSH_DIGEST_SHA1;
> if (strcmp(ident, "rsa-sha2-256") == 0)
> return SSH_DIGEST_SHA256;
> if (strcmp(ident, "rsa-sha2-512") == 0)
> return SSH_DIGEST_SHA512;
> return -1;
> }
> {code}
> can't find "rsa-sha2-512-cert-v01@openssh.com" then return -1
> We found OpenSSH Server signature function may return only the return value of the `rsa_hash_alg_ident` function:
> {code:java}
> static const char *rsa_hash_alg_ident(int hash_alg){
> switch (hash_alg) {
> case SSH_DIGEST_SHA1:
> return "ssh-rsa";
> case SSH_DIGEST_SHA256:
> return "rsa-sha2-256";
> case SSH_DIGEST_SHA512:
> return "rsa-sha2-512";
> }
> return NULL;
> }
> {code}
> [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L223]
> So I made a simple patch to handle this situation:
> [https://github.com/apache/mina-sshd/pull/158]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org