Page MenuHomePhabricator

pkd_hello fails for some host key types
Open, LowPublic

Description

pkd_hello fails on ubuntu 18.04 because rsa-sha2-256-cert-v01@openssh.com and rsa-sha2-512-cert-v01@openssh.com are not supported on the OpenSSH version it's running (OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017)

The following patch works for me but it's obviously not good for merging:

commit 9f5e0bb7d4432705f069c22f2b049ca3cfa35805 (HEAD -> master)
Author: Aris Adamantiadis <aris@0xbadc0de.be>
Date:   Fri Sep 13 17:04:49 2019 +0200

    WIP: ciphers not recognized by ssh

diff --git a/tests/pkd/pkd_client.h b/tests/pkd/pkd_client.h
index 474ca174..d6e85e29 100644
--- a/tests/pkd/pkd_client.h
+++ b/tests/pkd/pkd_client.h
@@ -16,7 +16,7 @@
 #define OPENSSH_KEYGEN "ssh-keygen"
 
 #define OPENSSH_HOSTKEY_ALGOS_DEFAULT "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa"
-#define OPENSSH_PKACCEPTED_DEFAULT    "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com"
+#define OPENSSH_PKACCEPTED_DEFAULT    "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com"
 
 #if       HAVE_ECC
 #define OPENSSH_HOSTKEY_ALGOS_ECDSA   ",ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"

The right solution would be to run ssh -Q from cmake and prepare a list of ciphers that are available. This should be useful because OpenSSH will continue to deprecate ciphers in the future and the list of exception will continue to grow.

Event Timeline

aris triaged this task as Low priority.Sep 13 2019, 5:22 PM
aris created this task.
Jakuje added a subscriber: Jakuje.Sep 19 2019, 5:32 PM

The tests/pkd/pkd_util.c already parses the openssh version so it can be used with a bit of refactoring. Or you can adjust the tests/CMakeLists.txt to expose the already-collected versions also the pkd tests and allow these alogirhtms only on the newer openssh.

Jakuje added a project: Restricted Project.Sep 25 2019, 4:09 PM