Re: [PATCH 0/2] Specify signature algorithm during server hostkeys prove

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Thanks, these have all been committed and will be in openssh-10.0.

Thanks especially for writing the regression test.

-d

On Tue, 12 Nov 2024, maximejeanrey@xxxxxxxxx wrote:

> From: Maxime Rey <maximejeanrey@xxxxxxxxx>
> 
> Hello,
> 
> I've discovered an issue with sshd when it's configured to use the SSH agent
> alongside multiple host keys. Specifically, this problem happens during the
> hostkeys-prove-00@xxxxxxxxxxx request, when the server attempts to
> demonstrate ownership of the host keys by calling the agent.
> 
> The issue occurs because, while processing the hostkeys-prove-00@xxxxxxxxxxx
> request, sshd does not specify the signature algorithm in its call to
> the agent. As a result, when sshd attempts to verify the response, it
> encounters an error due to the missing algorithm specification.
> 
> To address this, I have made two contributions:
> 
>     1 - A modified hostkey-agent.sh regression test that reproduces the issue
>     under these conditions.
>     2 - A patch in serverloop.c to correct the error
>     by ensuring the algorithm is explicitly specified during the
>     hostkeys-prove-00@xxxxxxxxxxx response.
> 
> Thank you for your time and feedback.
> 
> Best regards,
> Maxime
> 
> Maxime Rey (2):
>   Add test to cover multiple server hostkeys with agent
>   Specify signature algorithm during server hostkeys prove
> 
>  regress/hostkey-agent.sh | 31 +++++++++++++++++++++++++++++++
>  serverloop.c             |  3 +++
>  2 files changed, 34 insertions(+)
> 
> -- 
> 2.47.0
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux