You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Feng Jiajie (Jira)" <ji...@apache.org> on 2020/08/14 09:04:00 UTC
[jira] [Created] (SSHD-1053) Got "key type does not match" when use
OpenSSH client And Mina SSHD configured with a host public key cert
Feng Jiajie created SSHD-1053:
---------------------------------
Summary: Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
Key: SSHD-1053
URL: https://issues.apache.org/jira/browse/SSHD-1053
Project: MINA SSHD
Issue Type: Bug
Affects Versions: 2.5.1
Reporter: Feng Jiajie
Hi,
We configured a Mina SSHD and used server certificates:
https://www.lorier.net/docs/ssh-ca.html
Mina SSHD:
{code:java}
sshd.setKeyPairProvider(new BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel")));
sshd.setHostKeyCertificateProvider(new FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub")));
{code}
When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina SSHD server, the client is reporting an error:
{code:java}
debug2: KEX algorithms: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib,zlib@openssh.com
debug2: compression stoc: none,zlib,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: rsa-sha2-512-cert-v01@openssh.com
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host certificate: ssh-rsa-cert-v01@openssh.com SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from 2020-08-14T12:48:45 to 2030-08-12T12:53:45
debug2: Server host certificate hostname: 127.0.0.1
debug2: Server host certificate hostname: localhost
debug3: put_host_port: [127.0.0.1]:12133
debug3: put_host_port: [127.0.0.1]:12133
debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts"
debug3: record_hostkey: found ca key type RSA in file /home/work/.ssh/known_hosts:34
debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133
debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host certificate.
debug1: Found CA key in /home/work/.ssh/known_hosts:34
okok rsa-sha2-512-cert-v01@openssh.com
ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not match
{code}
After debugging the OpenSSH client, we found that the problem was that:
[https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L270]
line 270:
{code:java}
if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) {
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
{code}
`sigtype` value is "rsa-sha2-512-cert-v01@openssh.com"
[https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L61]
line 61:
{code:java}
static intrsa_hash_id_from_ident(const char *ident){
if (strcmp(ident, "ssh-rsa") == 0)
return SSH_DIGEST_SHA1;
if (strcmp(ident, "rsa-sha2-256") == 0)
return SSH_DIGEST_SHA256;
if (strcmp(ident, "rsa-sha2-512") == 0)
return SSH_DIGEST_SHA512;
return -1;
}
{code}
can't find "rsa-sha2-512-cert-v01@openssh.com" then return -1
We found OpenSSH Server signature function may return only the return value of the `rsa_hash_alg_ident` function:
{code:java}
static const char *rsa_hash_alg_ident(int hash_alg){
switch (hash_alg) {
case SSH_DIGEST_SHA1:
return "ssh-rsa";
case SSH_DIGEST_SHA256:
return "rsa-sha2-256";
case SSH_DIGEST_SHA512:
return "rsa-sha2-512";
}
return NULL;
}
{code}
[https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L223]
So I made a simple patch to handle this situation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org