[Twisted-Python] twisted.conch.checkers.SSHPublicKeyDatabase validate signature data
Adi Roiban
adi at roiban.ro
Mon Apr 22 03:01:52 MDT 2013
Hi,
In RFC 4252 http://www.ietf.org/rfc/rfc4252.txt for The Secure Shell (SSH)
Authentication Protocol at section 7. Public Key Authentication Method:
"publickey"
There is the following information about SSH public key signature.
The value of 'signature' is a signature by the corresponding private
key over the following data, in the following order:
string session identifier
byte SSH_MSG_USERAUTH_REQUEST
string user name
string service name
string "publickey"
boolean TRUE
string public key algorithm name
string public key to be used for authentication
When the server receives this message, it MUST check whether the
supplied key is acceptable for authentication, and if so, it MUST
check whether the signature is correct.
The current code check that key is accepted for authentication and it also
verifies if signature is correct.
It does not check that session the format of the signed data, especially if
session identifier from signed data is the same as the session of the the
current SSH transport session.
-----
I also found this document describing how ssh public key authentication
works, but it differes from the current conch.ssh userauth.py
implementation... maybe it is for SSH v1
http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#chal
------
Shouldn't twisted.conch.checkers.SSHPublicKeyDatabase also check that
session id from signed data match the one from transport session?
Maybe it does but I am not looking at the right place.
I see that in conch/checkers.py line 167
https://github.com/tomprince/twisted/blob/trunk/twisted/conch/checkers.py#L167
there is this check, which once signature is valid it just returns
avatar_id:
if pubKey.verify(credentials.signature,
credentials.sigData):
return credentials.username
Thanks!
--
Adi Roiban
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20130422/39a6ba35/attachment.html>
More information about the Twisted-Python
mailing list