Re: SSH Server API function to decrypt client signature

[Jakub Jelen <jjelen@xxxxxxxxxx>]

On 11/19/20 3:21 PM, Bruno Buzzi Brassesco wrote:
> Hi,
>
> Implementing a SSH Server with Libssh i got two problems with the API:
>
> It suppose that the client sends a SSH_AUTH_REQUEST to the Server and 
> the Server checks that:
> 1) The specified public key is acceptable (in the user's authorized keys)
> 2) Decrypting the signature with the specified public key, produces the 
> session identifier.
> (https://tools.ietf.org/html/rfc4252#section-7 
> <https://tools.ietf.org/html/rfc4252#section-7>)

The signature is not decrypted, but verified using the public key.

> * Which API function has to be used to get the session identifier ?

This part is in the SSH protocol so you should not need to care about 
that. The session ID is derived during key exchange.

> * Which API function has to be used to decrypt the signature of session 
> identifier ?

Again, this is nothing you need to care for. You are getting just the 
key and signature state (SSH_PUBLICKEY_STATE_VALID saying the signature 
is valid).

There are some test implementation available in tests:

https://gitlab.com/libssh/libssh-mirror/-/blob/master/tests/pkd/pkd_daemon.c#L233

Even better example is in here even with example of importing public 
keys and verifying the key matches one of the authorized keys files:

https://gitlab.com/libssh/libssh-mirror/-/blob/master/examples/ssh_server_fork.c#L584

Regards,
Jakub

> Unfortunately some SSH Server examples does not have a public key 
> authentication included:
> https://github.com/substack/libssh/blob/master/examples/samplesshd.c 
> <https://github.com/substack/libssh/blob/master/examples/samplesshd.c>
> https://github.com/substack/libssh/blob/master/examples/samplesshd-tty.c 
> <https://github.com/substack/libssh/blob/master/examples/samplesshd-tty.c>
>
> regards,
> bruno


--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.