x/crypto/ssh: can't establish ssh connection using signed key #54027
Comments
|
Hi @FiloSottile , here is an issue I filed per your request. Thanks! |
|
cc @FiloSottile @golang/security |
cherrymui
added
the
NeedsInvestigation
cherrymui
changed the title
|
Folks, do you have any news on this by any chance? |
|
Any help with resolving this issue will be very much appreciated. |
|
@kt97679 Can you run ssh-agent with -d option and test running your program again? and copy-paste the output once the program exit. |
|
@shuLhan please find output below. Please let me know if there is anything else I can do to help with debugging. |
|
Tried today, still see failure: Can I provide more details to help with the fix of this issue? |
|
Issue is still there: It seems that this is a regression. I have old binary that works with signed keys ok and here is dependency: |
|
issue is reproducible with golang.org/x/crypto v0.5.0 |
|
Hi folks, I found list of versions here: https://deps.dev/go/golang.org%2Fx%2Fcrypto/v0.0.0-20151201002508-7b85b097bf75/versions and was able to identify versions where issue was introduced: I really hope this will help with fixing this issue. Thank you. |
|
From what I see issue is related to this change: golang/crypto@5d542ad#diff-bb5baf29632fd3d0305064ad6e6dc4b9849778a8cd1513f08cf9e866c61210acL775-L783 |
|
I see the same issue as you, and I was so far unable to get a workaround. To me this seems pretty much broken. |
- golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
+ golang.org/x/crypto v0.12.0
now i am stuck too |
|
Hey, I just this exact same case. $ ssh USER@IP
// OK - working as expected$ echo $SSH_AUTH_SOCK
/private/tmp/com.apple.launchd.REDACTED/Listeners
$ ssh-add -l
The agent has no identities.
$ cat ~/.ssh/config
Host *
IdentityAgent "~/Library/Group Containers/REDACT.com.1password/t/agent.sock"Minimal reproducible code snippet adopted from: https://cs.opensource.google/go/x/crypto/+/master:ssh/agent/example_test.go;drc=ac88ee75c92c889b97e05591e9a39b6480c538b3 package main
import (
"log"
"net"
"os"
"golang.org/x/crypto/ssh"
"golang.org/x/crypto/ssh/agent"
)
func main() {
socket := os.Getenv("SSH_AUTH_SOCK")
conn, err := net.Dial("unix", socket)
if err != nil {
log.Fatalf("Failed to open SSH_AUTH_SOCK: %v", err)
}
agentClient := agent.NewClient(conn)
signers, err := agentClient.Signers()
if err != nil {
log.Fatal(err)
}
println("signers", len(signers))
config := &ssh.ClientConfig{
User: "USER",
Auth: []ssh.AuthMethod{
ssh.PublicKeysCallback(agentClient.Signers),
},
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}
sshc, err := ssh.Dial("tcp", "IP:22", config)
if err != nil {
log.Fatal(err)
}
sshc.Close()
}
Resulting with error: Issue still persist with Environment:
EDIT:
EDIT2: OK. Found the issue.
- /private/tmp/com.apple.launchd.REDACT/Listeners
+ SSH_AUTH_SOCK=~/Library/Group\ Containers/REDACT.com.1password/t/agent.sockSorry for inconveniences. Keeping this here in case someone have similar case in the future. Footnotes |
|
after upgrade these two pkgs, It finally works! from golang.org/x/crypto v0.0.0-20200208060501-ecb85df21340
golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 // indirectto golang.org/x/crypto v0.14.0
golang.org/x/sys v0.13.0 |
What are the commands to update it? |
Hello, the linked CL is included in v0.16.0. I used the test program provided and can't replicate the issue: here is the go.mod If I set golang.org/x/crypto v0.15.0 in go.mod I can replicate the issue so it seems fixed. Please confirm that you are testing with x/crypto v0.16.0 and provide additional info if the issue is not fixed for you. Thank you |
|
@drakkan thanks for the follow up. We've done more digging and uncovered the root cause. I've opened an issue with more details in #64785. The tl;dr is the remote server we're interacting with is not compliant with the RFC. The reason why we're able to bisect this error message back to the same commit as others is that the commit introduced the |
|
Its fixed the issue
please use the below commands: if possible update go version to latest |
|
Change https://go.dev/cl/573360 mentions this issue: |
According to RFC 4252 Section 7 the algorithm in SSH_MSG_USERAUTH_PK_OK should match that of the request but some servers send the key type instead. OpenSSH checks for the key type, so we do the same. Fixes golang/go#66438 Fixes golang/go#64785 Fixes golang/go#56342 Fixes golang/go#54027 Change-Id: I2f733f0faece097e44ba7a97c868d30a53e21d79 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/573360 Auto-Submit: Nicola Murino <nicola.murino@gmail.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Run-TryBot: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Joedian Reid <joedian@google.com>
What version of Go are you using (
go version)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env)?ubuntu 18.04 amd64
go envOutputWhat did you do?
What did you expect to see?
Connection is established using signed key.
What did you see instead?
Connection is not established with an error message:
Additional information
I have 2 keys in the agent and I can connect ok via ssh command to 127.0.0.1 (accepts only unsigned keys) and 10.19.197.10 (accepts only signed keys):
Versions of the ssh components are in the output above.
The text was updated successfully, but these errors were encountered: