[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fix for ecdsa agent pub key auth


On Wed, 2019-04-03 at 11:01 +0300, Yury Korolev wrote:
> Hi,
> 
> I was trying to use ecdsa key with agent auth and get error:
> 
> ssh_packet_socket_callback: packet: read type 60
> [len=140,padding=7,comp=132,payload=132]
> ssh_packet_process: Dispatching handler for packet type 60
> ssh_userauth_agent: Public key of id_ecdsa accepted by server
> ssh_key_algorithm_allowed: Checking ssh-ecdsa with list <ssh-
> ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-
> nistp521,ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-dss>
> ssh_userauth_agent_publickey: The key algorithm 'ssh-ecdsa' is not
> allowed to be used by PUBLICKEY_ACCEPTED_TYPES configuration option
> ssh_userauth_agent: Server accepted public key but refused the
> signature
> 
> I think, this commit misses agent pubkey auth part:
> https://gitlab.com/yurykorolev/libssh-mirror/commit/e5170107c9e38f49adb7865a019e6931ad9803d2
> <https://gitlab.com/yurykorolev/libssh-
> mirror/commit/e5170107c9e38f49adb7865a019e6931ad9803d2>
> 
> Patch is attached.

Hello.
Thank you for the patch. You are right, the agent authentication was
for some reason omitted from that patch. We should take also this
opportunity to extend the testsuite with this use case (probably only
RSA is tested with agent?). Could you try to update the testsuite with
this failing use case?

In the meantime, there is already a patch solving this issue proposed
in the upstream PR 7:

https://gitlab.com/libssh/libssh-mirror/merge_requests/7/diffs#c52234782f1f4d13916324a8b884434782826ee5

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.


References:
Fix for ecdsa agent pub key authYury Korolev <yurykorolev@xxxxxx>
Archive administrator: postmaster@lists.cynapses.org