[ https://issues.apache.org/jira/browse/SSHD-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17177818#comment-17177818 ]
Feng Jiajie commented on SSHD-1053: ----------------------------------- on CentOS 7 server: {code:java} mkdir ~/codelab cd ~/codelab{code} h2. step 1. Create CA key {code:java} ssh-keygen -f ca{code} h2. step 2. Create Host Key {code:java} ssh-keygen -f myhost{code} h2. step 3. Sign Host Key Using CA Key {code:java} ssh-keygen -s ca -I mytestcert -h -n "127.0.0.1,localhost,10.120.32.74" -V -5m:+3650d myhost{code} * -s: CA key file path * -I: cert name * -h: this is a host key * -n: all host name for connect, just like HTTPS cert common name * -V: cert validity range, 3650 days * myhost: host key path from step 2 {code:java} [work@debugboxcreate2845x1 codelab]$ ssh-keygen -s ca -I mytestcert -h -n "127.0.0.1,localhost,10.120.32.74" -V -5m:+3650d myhost Signed host key myhost-cert.pub: id "mytestcert" serial 0 for 127.0.0.1,localhost,10.120.32.74 valid from 2020-08-14T22:08:07 to 2030-08-12T22:13:07 [work@debugboxcreate2845x1 codelab]$ ll total 20 -rw------- 1 work work 1679 Aug 14 22:06 ca -rw-r--r-- 1 work work 407 Aug 14 22:06 ca.pub -rw------- 1 work work 1675 Aug 14 22:08 myhost -rw-r--r-- 1 work work 1384 Aug 14 22:13 myhost-cert.pub -rw-r--r-- 1 work work 407 Aug 14 22:08 myhost.pub [work@debugboxcreate2845x1 codelab]$ ssh-keygen -L -f myhost-cert.pub myhost-cert.pub: Type: ssh-rsa-cert-...@openssh.com host certificate Public key: RSA-CERT SHA256:oaZ3flir1EB6DnkpJiZpJgGKFQFFiqRc9Tm5x4QuExQ Signing CA: RSA SHA256:9yner89PphI7gTHrPJXYVM7Nis/jzN5/D31WDNQ6Gc0 Key ID: "mytestcert" Serial: 0 Valid: from 2020-08-14T22:08:07 to 2030-08-12T22:13:07 Principals: 127.0.0.1 localhost 10.120.32.74 Critical Options: (none) Extensions: (none) [work@debugboxcreate2845x1 codelab]${code} h2. step 4. Configure OpenSSH sshd *first backup /etc/ssh/sshd_config* {code:java} vim /etc/ssh/sshd_config{code} comment all HostKey and add new HostKey and cert: {code:java} #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key HostKey /home/work/codelab/myhost HostCertificate /home/work/codelab/myhost-cert.pub{code} and then restart sshd service: {code:java} service sshd restart{code} step5. Test host verify remove host key from *~/.ssh/known_hosts* {code:java} [work@debugboxcreate2845x1 ~]$ ssh root@127.0.0.1 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. RSA key fingerprint is SHA256:oaZ3flir1EB6DnkpJiZpJgGKFQFFiqRc9Tm5x4QuExQ. RSA key fingerprint is MD5:9a:89:9a:23:8a:61:28:f2:e9:d3:84:41:33:8e:56:41. Are you sure you want to continue connecting (yes/no)? no{code} then add ca public key(not host public key) into ~/.ssh/known_hosts. like: {code:java} @cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPsJociDCipokcLpyYJ4PB4nkGdBKaiZvuQoxB+fLUjecie2o8kXq0iVnFiEKaBqFQIxguXPZ/W8wrqWAvlp3PhwWLt/qFsF6ssST8rzrDhwhWuEEGyDv/pBa2Pdm9Q9eI49vXn1PPJJ7NBwKxLw0KEkYtMfTWnJy/ZV3+T92SRZMPJU+dl07ZkSKPq088j47mIa1mdBHWHYy429sRRvIXri4sWPNBGMQW1L6repzrQZDUl7quTA4nIEugZMl1y+vk/j8b12fohf+TD5hGufIMmFPMbdivhKkylo9fuRBW9AGW1aIpxKYsyxcFb8TOJIJuZKAY8P/c5dCMrkIzfW8b work@debugboxcreate2845x1{code} then try ssh: {code:java} [work@debugboxcreate2845x1 ~]$ ssh root@127.0.0.1 root@127.0.0.1's password:{code} ssh client trust Host Key because of trust the CA For Mina SSHD server, use the same file: {code:java} sshd.setKeyPairProvider(new BouncyCastleGeneratorHostKeyProvider(Paths.get("/home/work/codelab/myhost"))); sshd.setHostKeyCertificateProvider(new FileHostKeyCertificateProvider(Paths.get("/home/work/codelab/myhost-cert.pub")));{code} By the way, CentOS 7 default OpenSSH version is 7.4, and using 7.4 OpenSSH client, error doesn't occur, maybe cause "rsa-sha2-512-cert-...@openssh.com" hasn't been supported in 7.4 https://github.com/openssh/openssh-portable/commit/4ba0d54794814ec0de1ec87987d0c3b89379b436 I first met the error on macOS with OpenSSH 7.9, then I build a latest OpenSSH 8.3 on CentOS 7 and reproduce the problem. > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > ---------------------------------------------------------------------------------------------------------- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug > Affects Versions: 2.5.1 > Reporter: Feng Jiajie > Assignee: Lyor Goldstein > Priority: Major > Attachments: ca > > Time Spent: 1h > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: MACs stoc: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: compression ctos: none,zlib,z...@openssh.com > debug2: compression stoc: none,zlib,z...@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: ecdh-sha2-nistp256 > debug1: kex: host key algorithm: rsa-sha2-512-cert-...@openssh.com > debug1: kex: server->client cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host certificate: ssh-rsa-cert-...@openssh.com > SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" > CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from > 2020-08-14T12:48:45 to 2030-08-12T12:53:45 > debug2: Server host certificate hostname: 127.0.0.1 > debug2: Server host certificate hostname: localhost > debug3: put_host_port: [127.0.0.1]:12133 > debug3: put_host_port: [127.0.0.1]:12133 > debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts" > debug3: record_hostkey: found ca key type RSA in file > /home/work/.ssh/known_hosts:34 > debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133 > debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host > certificate. > debug1: Found CA key in /home/work/.ssh/known_hosts:34 > okok rsa-sha2-512-cert-...@openssh.com > ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not > match > {code} > After debugging the OpenSSH client, we found that the problem was that: > [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L270] > line 270: > {code:java} > if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) { > ret = SSH_ERR_KEY_TYPE_MISMATCH; > goto out; > } > {code} > `sigtype` value is "rsa-sha2-512-cert-...@openssh.com" > [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L61] > line 61: > {code:java} > static intrsa_hash_id_from_ident(const char *ident){ > if (strcmp(ident, "ssh-rsa") == 0) > return SSH_DIGEST_SHA1; > if (strcmp(ident, "rsa-sha2-256") == 0) > return SSH_DIGEST_SHA256; > if (strcmp(ident, "rsa-sha2-512") == 0) > return SSH_DIGEST_SHA512; > return -1; > } > {code} > can't find "rsa-sha2-512-cert-...@openssh.com" then return -1 > We found OpenSSH Server signature function may return only the return value > of the `rsa_hash_alg_ident` function: > {code:java} > static const char *rsa_hash_alg_ident(int hash_alg){ > switch (hash_alg) { > case SSH_DIGEST_SHA1: > return "ssh-rsa"; > case SSH_DIGEST_SHA256: > return "rsa-sha2-256"; > case SSH_DIGEST_SHA512: > return "rsa-sha2-512"; > } > return NULL; > } > {code} > [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L223] > So I made a simple patch to handle this situation: > [https://github.com/apache/mina-sshd/pull/158] -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org