Re: Call for testing: OpenSSH 7.7

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 23 Mar 2018, Peter Moody wrote:

> > Live testing on suitable non-production systems is also appreciated.
> > Please send reports of success or failure to
> > openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported
> > directly to openssh@xxxxxxxxxxx.
> 
> I've got one weird case.
> 
> doing pubkey auth with certificates, if I have both the key and cert
> loaded in my agent, I see:
> 
> $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l
> 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519)
> 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT)
> 
> $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host
> 
> pmoody@host:~$
> 
> but if I only have the certificate, I see:
> 
> $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l
> 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT)
> 
> $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host
> warning: agent returned different signature type ssh-ed25519 (expected
> ssh-ed25519-cert-v01@xxxxxxxxxxx)

Looks like a false positive from the warning code I added recently.

Please try this:

diff --git a/sshconnect2.c b/sshconnect2.c
index bf0b729..49eb205 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1006,6 +1006,8 @@ check_sigtype(const struct sshkey *key, const u_char *sig, size_t len)
 	char *sigtype = NULL;
 	const char *alg = key_sign_encode(key);
 
+	if (sshkey_is_cert(key))
+		return 0;
 	if ((r = sshkey_sigtype(sig, len, &sigtype)) != 0)
 		return r;
 	if (strcmp(sigtype, alg) != 0) {
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux