[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH Server API function to decrypt client signature


On 11/19/20 3:21 PM, Bruno Buzzi Brassesco wrote:
Hi,

Implementing a SSH Server with Libssh i got two problems with the API:

It suppose that the client sends a SSH_AUTH_REQUEST to the Server and the Server checks that:
1) The specified public key is acceptable (in the user's authorized keys)
2) Decrypting the signature with the specified public key, produces the session identifier. (https://tools.ietf.org/html/rfc4252#section-7 <https://tools.ietf.org/html/rfc4252#section-7>)

The signature is not decrypted, but verified using the public key.

* Which API function has to be used to get the session identifier ?

This part is in the SSH protocol so you should not need to care about that. The session ID is derived during key exchange.

* Which API function has to be used to decrypt the signature of session identifier ?

Again, this is nothing you need to care for. You are getting just the key and signature state (SSH_PUBLICKEY_STATE_VALID saying the signature is valid).

There are some test implementation available in tests:

https://gitlab.com/libssh/libssh-mirror/-/blob/master/tests/pkd/pkd_daemon.c#L233

Even better example is in here even with example of importing public keys and verifying the key matches one of the authorized keys files:

https://gitlab.com/libssh/libssh-mirror/-/blob/master/examples/ssh_server_fork.c#L584

Regards,
Jakub

Unfortunately some SSH Server examples does not have a public key authentication included: https://github.com/substack/libssh/blob/master/examples/samplesshd.c <https://github.com/substack/libssh/blob/master/examples/samplesshd.c> https://github.com/substack/libssh/blob/master/examples/samplesshd-tty.c <https://github.com/substack/libssh/blob/master/examples/samplesshd-tty.c>

regards,
bruno


--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.


References:
SSH Server API function to decrypt client signatureBruno Buzzi Brassesco <bruno.brasesco@xxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org