search

kryptco / kr

DEPRECATED A dev tool for SSH auth + Git commit/tag signing using a key stored in Krypton.
https://krypt.co/developers/
Other
1.59k stars 109 forks source link

SSH publickey-hostbound method doesn't work? #331

Open AlexanderPavlenko opened 2 years ago

AlexanderPavlenko commented 2 years ago

https://www.openssh.com/agent-restrict.html#authverify

openssh-server 1:8.9p1-3 arm64

debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
...
debug1: Server accepts key: /.../id_krypton.pub RSA SHA256:rLDF...9hr8 explicit agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with RSA SHA256:rLDF...9hr8
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:rLDF...9hr8
sign_and_send_pubkey: signing failed for RSA "/.../id_krypton.pub" from agent: agent refused operation

vs.

openssh-server 1:8.2p1-4ubuntu0.1 amd64

debug1: Server accepts key: /.../id_krypton.pub RSA SHA256:rLDF...9hr8 explicit agent
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:rLDF...9hr8
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:rLDF...9hr8
Krypton ▶ Requesting SSH authentication from phone
Krypton ▶ Success. Request Allowed ✔
andriisemenov-emma commented 1 year ago

Same here OpenSSL 3.0.2 Is there any solution?

cheahjs commented 1 year ago

Looking into this, unfortunately with how things are architected, this requires an update to the mobile apps as well.

Currently the daemon is failing to parse the signature payload as the agent restriction change modified the payload to include an additional server host key field. ssh.Unmarshal errors out if after unmarshaling there is still data in the buffer. This can be fixed with

type signaturePayload struct {
    Session []byte
    Type    byte
    User    string
    Service string
    Method  string
    Sign    bool
    Algo    []byte
    PubKey  []byte
    // OpenSSH 8.9 modifies the struct, use the "rest" tag to either take an empty slice on older versions, or the host key on newer versions
    ServerHostKey  []byte `ssh:"rest"`
}

However, the daemon<>app protocol attempts to optimise the payload that is sent over the wire, so the public key is omitted from the signature payload, and the mobile app is responsible for appending the key to the payload to be signed.

https://github.com/kryptco/krypton-android/blob/37e97026e48e0123ab580793a2c19674e96ecc4e/app/src/main/java/co/krypt/krypton/crypto/EdSSHKeyPair.java#L77-L91

This is problematic with agent restriction, as the new server host key comes after the public key, which means without changes to the mobile apps, it is not possible to get the apps to sign the correct payload.

The new Akamai akr tool doesn't suffer from this as it treats the signature payload as an opaque blob to sign.