[Twisted-Python] twisted.conch.checkers.SSHPublicKeyDatabase validate signature data
Adi Roiban
adi at roiban.ro
Mon Apr 22 05:35:48 MDT 2013
On 22 April 2013 12:01, Adi Roiban <adi at roiban.ro> wrote:
> Hi,
>
> In RFC 4252 http://www.ietf.org/rfc/rfc4252.txt for The Secure Shell
> (SSH) Authentication Protocol at section 7. Public Key Authentication
> Method: "publickey"
>
> There is the following information about SSH public key signature.
>
> The value of 'signature' is a signature by the corresponding private key over the following data, in the following order:
>
> string session identifier
> byte SSH_MSG_USERAUTH_REQUEST
> string user name
> string service name
> string "publickey"
> boolean TRUE
> string public key algorithm name
> string public key to be used for authentication
>
> When the server receives this message, it MUST check whether the supplied key is acceptable for authentication, and if so, it MUST check whether the signature is correct.
>
> The current code check that key is accepted for authentication and it also
> verifies if signature is correct.
>
> It does not check that session the format of the signed data, especially
> if session identifier from signed data is the same as the session of the
> the current SSH transport session.
>
> -----
>
> I also found this document describing how ssh public key authentication
> works, but it differes from the current conch.ssh userauth.py
> implementation... maybe it is for SSH v1
> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#chal
>
> ------
>
> Shouldn't twisted.conch.checkers.SSHPublicKeyDatabase also check that
> session id from signed data match the one from transport session?
>
> Maybe it does but I am not looking at the right place.
>
> I see that in conch/checkers.py line 167
> https://github.com/tomprince/twisted/blob/trunk/twisted/conch/checkers.py#L167
> there is this check, which once signature is valid it just returns
> avatar_id:
>
> if pubKey.verify(credentials.signature,
> credentials.sigData):
> return credentials.username
>
I found out that I was wrong and I found how the signed data is generated.
Here is the imprtant part:
https://github.com/tomprince/twisted/blob/trunk/twisted/conch/ssh/userauth.py#L268
Sorry for the trouble!
--
Adi Roiban
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20130422/7e40ecb8/attachment.html>
More information about the Twisted-Python
mailing list