Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flag RSA SHA1 deprecation when loading keys #12415

Merged
merged 1 commit into from
Jun 22, 2021

Conversation

chrisroberts
Copy link
Member

@chrisroberts chrisroberts commented Jun 11, 2021

Set flag on RSA keys of deprecated RSA SHA1 support when loading
keys based on server version of the transport. This ensures keys
are properly flagged. Flag name has been updated to provide context
on usage.

Version matching on the OpenSSH server version has also been updated
to handle customized naming in the version string (as seen in the
Windows port) and to properly handle when no match is found.

Fixes #12344
Fixes #12408
Fixes #12381

    Set flag on RSA keys of deprecated RSA SHA1 support when loading
    keys based on server version of the transport. This ensures keys
    are properly flagged. Flag name has been updated to provide context
    on usage.

    Version matching on the OpenSSH server version has also been updated
    to handle customized naming in the version string (as seen in the
    Windows port) and to properly handle when no match is found.

    Fixes hashicorp#12344 hashicorp#12408 hashicorp#12381
@berlin4apk
Copy link

@chrisroberts sorry but I think this is the rong way,
As it will only work with openssh and miss all the other ssh server Denons some are listed here https://en.m.wikipedia.org/wiki/Comparison_of_SSH_servers

This maybe will help
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?content-type=text/plain
"These RSA/SHA-2 types should not appear in keys at rest or transmitted
on the wire, but do appear in a SSH_MSG_KEXINIT's host-key algorithms
field or in the "public key algorithm name" field of a "publickey"
SSH_USERAUTH_REQUEST to indicate that the signature will use the
specified algorithm."

@berlin4apk
Copy link

Since RSA keys are not dependent on the choice of hash function, the
new public key algorithms reuse the "ssh-rsa" public key format as
defined in [RFC4253]:

string    "ssh-rsa"
mpint     e
mpint     n

All aspects of the "ssh-rsa" format are kept, including the encoded
string "ssh-rsa". This allows existing RSA keys to be used with the
new public key algorithms, without requiring re-encoding, or affecting
already trusted key fingerprints.

Signing and verifying using these algorithms is performed according to
the RSASSA-PKCS1-v1_5 scheme in [RFC8017] using SHA-2 [SHS] as hash.

For the algorithm "rsa-sha2-256", the hash used is SHA-256.
For the algorithm "rsa-sha2-512", the hash used is SHA-512.

The resulting signature is encoded as follows:

string    "rsa-sha2-256" / "rsa-sha2-512"
string    rsa_signature_blob

The value for 'rsa_signature_blob' is encoded as a string containing
S - an octet string which is the output of RSASSA-PKCS1-v1_5, of
length equal to the length in octets of the RSA modulus.
https://datatracker.ietf.org/doc/html/draft-ietf-curdle-rsa-sha2-12

@chrisroberts
Copy link
Member Author

@berlin4apk Aside from issues with other ssh server implementations (have any others fully deprecated the ssh-rsa signature?) I'm not clear on why you think this is the wrong direction. The copied sections you pasted don't really provide much context on your objection. Could you state more clearly what you think is incorrect? Thanks.

@berlin4apk
Copy link

The way via the Server Version string will break to easyly
If we can we should get the supported ALG out of the season Infos form the season Initiation
Or if it's not possible to try it out one after the other at connection time not at the time of the key loading

See also https://github.com/net-ssh/net-ssh/pull/811/commits

@chrisroberts
Copy link
Member Author

Currently I'm unaware of any other server implementations affected outside of OpenSSH (and its derivatives). These modifications are not meant to be a long term fix, rather they are simply patches for things to work until support is available upstream (this is why the patches are only applied if a specific version of the ssh library is loaded, which is the currently released version right now). Detecting based on the session is ideal, however, from the point of view of monkey patching the library after it has been loaded, is much more difficult. The patch in its current state will allow things to continue working where it is currently know to fail (openssh versions 8.3 and greater) and will no longer be applicable once the library can be upgraded.

@chrisroberts chrisroberts merged commit ac95831 into hashicorp:main Jun 22, 2021
@chrisroberts chrisroberts deleted the ssh-rsa-dep-fix branch June 22, 2021 22:48
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 23, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
3 participants