Skip to content
This repository has been archived by the owner on Nov 7, 2023. It is now read-only.

SSH publickey-hostbound method doesn't work? #331

Open
AlexanderPavlenko opened this issue Aug 15, 2022 · 2 comments
Open

SSH publickey-hostbound method doesn't work? #331

AlexanderPavlenko opened this issue Aug 15, 2022 · 2 comments

Comments

@AlexanderPavlenko
Copy link

https://www.openssh.com/agent-restrict.html#authverify

openssh-server 1:8.9p1-3 arm64

debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
...
debug1: Server accepts key: /.../id_krypton.pub RSA SHA256:rLDF...9hr8 explicit agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with RSA SHA256:rLDF...9hr8
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:rLDF...9hr8
sign_and_send_pubkey: signing failed for RSA "/.../id_krypton.pub" from agent: agent refused operation

vs.

openssh-server 1:8.2p1-4ubuntu0.1 amd64

debug1: Server accepts key: /.../id_krypton.pub RSA SHA256:rLDF...9hr8 explicit agent
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:rLDF...9hr8
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:rLDF...9hr8
Krypton ▶ Requesting SSH authentication from phone
Krypton ▶ Success. Request Allowed ✔
@andriisemenov-emma
Copy link

Same here OpenSSL 3.0.2
Is there any solution?

@cheahjs
Copy link

cheahjs commented Jul 5, 2023

Looking into this, unfortunately with how things are architected, this requires an update to the mobile apps as well.

Currently the daemon is failing to parse the signature payload as the agent restriction change modified the payload to include an additional server host key field. ssh.Unmarshal errors out if after unmarshaling there is still data in the buffer. This can be fixed with

type signaturePayload struct {
	Session []byte
	Type    byte
	User    string
	Service string
	Method  string
	Sign    bool
	Algo    []byte
	PubKey  []byte
	// OpenSSH 8.9 modifies the struct, use the "rest" tag to either take an empty slice on older versions, or the host key on newer versions
	ServerHostKey  []byte `ssh:"rest"`
}

However, the daemon<>app protocol attempts to optimise the payload that is sent over the wire, so the public key is omitted from the signature payload, and the mobile app is responsible for appending the key to the payload to be signed.

https://github.com/kryptco/krypton-android/blob/37e97026e48e0123ab580793a2c19674e96ecc4e/app/src/main/java/co/krypt/krypton/crypto/EdSSHKeyPair.java#L77-L91

This is problematic with agent restriction, as the new server host key comes after the public key, which means without changes to the mobile apps, it is not possible to get the apps to sign the correct payload.

The new Akamai akr tool doesn't suffer from this as it treats the signature payload as an opaque blob to sign.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AlexanderPavlenko @cheahjs @andriisemenov-emma