On Fri, 23 Mar 2018, Peter Moody wrote:
> > Live testing on suitable non-production systems is also appreciated.
> > Please send reports of success or failure to
> > openssh-unix-dev@xxxxxxxxxxx. Security bugs should be reported
> > directly to openssh@xxxxxxxxxxx.
>
> I've got one weird case.
>
> doing pubkey auth with certificates, if I have both the key and cert
> loaded in my agent, I see:
>
> $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l
> 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519)
> 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT)
>
> $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host
>
> pmoody@host:~$
>
> but if I only have the certificate, I see:
>
> $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh-add -l
> 256 SHA256:byQi9IUy4F9Osg/977BQ/zyOHG2Yvlz0nSqpADvlZpQ (ED25519-CERT)
>
> $ env SSH_AUTH_SOCK=/tmp/ssh.sock2 ./ssh host
> warning: agent returned different signature type ssh-ed25519 (expected
> ssh-ed25519-cert-v01@xxxxxxxxxxx)
Looks like a false positive from the warning code I added recently.
Please try this:
diff --git a/sshconnect2.c b/sshconnect2.c
index bf0b729..49eb205 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1006,6 +1006,8 @@ check_sigtype(const struct sshkey *key, const u_char *sig, size_t len)
char *sigtype = NULL;
const char *alg = key_sign_encode(key);
+ if (sshkey_is_cert(key))
+ return 0;
if ((r = sshkey_sigtype(sig, len, &sigtype)) != 0)
return r;
if (strcmp(sigtype, alg) != 0) {
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
