tomaswolf commented on issue #531:
URL: https://github.com/apache/mina-sshd/issues/531#issuecomment-2233656599
Sorry.
I completely missed that the log indeed has a SSH_MSG_USERAUTH_PK_OK reply
from the server.
Your log is hard to understand; apparently lines with the same time stamp
are not always being printed in the right order. I see several lines with the
same timestamps and from a single thread that simply cannot ever have been
produced in the order shown; for instance
```
2024/07/16 05:36:15.285000 disapp01 DDS_UDD#0-0 APP DEBUG
<o.a.s.c.a.p.UserAuthPublicKey#0 TID#00000> genericLoop
[sshd-SshClient[36ae17ef]-nio2-thread-7] {}
processAuthDataRequest(ClientSessionImpl[amadeus@/10.243.2.50:6710])[ssh-connection][publickey]:
signing with algorithm rsa-sha2-512
2024/07/16 05:36:15.285000 disapp01 DDS_UDD#0-0 APP DEBUG
<o.a.s.c.a.p.UserAuthPublicKey#0 TID#00000> genericLoop
[sshd-SshClient[36ae17ef]-nio2-thread-7] {}
processAuthDataRequest(ClientSessionImpl[amadeus@/10.243.2.50:6710])[ssh-connection][publickey]
SSH_MSG_USERAUTH_PK_OK type=rsa-sha2-512,
fingerprint=SHA256:YNK/48lJZvi8/w2VTwCd4vNYWI0IJod7CDvF+Jc//JE
```
This is just impossible. When the code that produces these lines (both from
the same thread!), we will _always_ log first "SSH_MSG_USERAUTH_PK_OK
type=rsa-sha2-512, fingerprint=..." and _then_ "signing with algorithm
rsa-sha2-512".
Assuming that is is an artifact of whatever logging system you used, the log
shows a server bug. Let's go step by step:
```
2024/07/16 05:36:15.237000 disapp01 DDS_UDD#0-0 APP DEBUG
<o.a.s.c.a.p.UserAuthPublicKey#0 TID#00000> genericLoop
[sshd-SshClient[36ae17ef]-nio2-thread-6] {}
sendAuthDataRequest(ClientSessionImpl[amadeus@/10.243.2.50:6710])[ssh-connection]
send SSH_MSG_USERAUTH_REQUEST request publickey type=rsa-sha2-512 -
fingerprint=SHA256:YNK/48lJZvi8/w2VTwCd4vNYWI0IJod7CDvF+Jc//JE
```
The client asks the server "if I authenticated with the public key that has
the fingerprint SHA256:YNK/48lJZvi8/w2VTwCd4vNYWI0IJod7CDvF+Jc//JE and a
rsa-sha2-512 signature, would you accept the authentication?"
```
2024/07/16 05:36:15.285000 disapp01 DDS_UDD#0-0 APP DEBUG
<o.a.s.c.a.p.UserAuthPublicKey#0 TID#00000> genericLoop
[sshd-SshClient[36ae17ef]-nio2-thread-7] {}
processAuthDataRequest(ClientSessionImpl[amadeus@/10.243.2.50:6710])[ssh-connection][publickey]
SSH_MSG_USERAUTH_PK_OK type=rsa-sha2-512,
fingerprint=SHA256:YNK/48lJZvi8/w2VTwCd4vNYWI0IJod7CDvF+Jc//JE
```
The server says yes.
```
2024/07/16 05:36:15.285000 disapp01 DDS_UDD#0-0 APP DEBUG
<o.a.s.c.a.p.UserAuthPublicKey#0 TID#00000> genericLoop
[sshd-SshClient[36ae17ef]-nio2-thread-7] {}
processAuthDataRequest(ClientSessionImpl[amadeus@/10.243.2.50:6710])[ssh-connection][publickey]:
signing with algorithm rsa-sha2-512
2024/07/16 05:36:15.295000 disapp01 DDS_UDD#0-0 APP DEBUG
<o.a.s.c.s.ClientSessionImpl#0 TID#00000> genericLoop
[sshd-SshClient[36ae17ef]-nio2-thread-7] {}
encode(ClientSessionImpl[amadeus@/10.243.2.50:6710]) packet #6 sending
command=50[SSH_MSG_USERAUTH_REQUEST] len=621
```
The client puts together the authentication request with that key and an
rsa-sha2-512 signature and sends it.
```
2024/07/16 05:36:15.344000 disapp01 DDS_UDD#0-0 APP DEBUG
<o.a.s.c.s.ClientSessionImpl#0 TID#00000> genericLoop
[sshd-SshClient[36ae17ef]-nio2-thread-8] {}
doHandleMessage(ClientSessionImpl[amadeus@/10.243.2.50:6710]) process #6
SSH_MSG_USERAUTH_FAILURE
```
The server refuses the authentication. Even though it had said it would in
it's SSH_MSG_USERAUTH_PK_OK message before! **That seems to be server bug?**
```
2024/07/16 05:36:15.344000 disapp01 DDS_UDD#0-0 APP DEBUG
<o.a.s.c.s.ClientUserAuthService#0 TID#00000> genericLoop
[sshd-SshClient[36ae17ef]-nio2-thread-8] {}
processUserAuth(ClientSessionImpl[amadeus@/10.243.2.50:6710]) Received
SSH_MSG_USERAUTH_FAILURE - partial=false, methods=password
```
In its refusal, the server tells the client "do not try pubkey
authentication anymore, you may still try password authentication".
```
2024/07/16 05:36:15.344000 disapp01 DDS_UDD#0-0 APP DEBUG
<o.a.s.c.a.p.UserAuthPublicKey#0 TID#00000> genericLoop
[sshd-SshClient[36ae17ef]-nio2-thread-8] {}
sendAuthDataRequest(ClientSessionImpl[amadeus@/10.243.2.50:6710])[ssh-connection]
send SSH_MSG_USERAUTH_REQUEST request publickey type=rsa-sha2-256 -
fingerprint=SHA256:YNK/48lJZvi8/w2VTwCd4vNYWI0IJod7CDvF+Jc//JE
```
The client ignores this and tries the same public key again with an
rsa-sha2-256 signature. **That's a client bug**; it should not have continued
with public-key authentication.
But your real problem is that the server first says it would accept the key
with a rsa-sha2-512 signature, but then it doesn't. There is not much we can do
about this; your really only option is to force "ssh-rsa" for connecting to
such a server.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
