Key verification failing using OpenSshCertificateImpl
Hello, I'm trying to authenticate from my client using apache mina - 2.5.1 using OpenSsh Certificate. I have a signed Certificate which I parsed using OpenSshCertificateImpl and created a KeyPair out of it. However the auth fails with: 2020-07-17 02:11:20.168DEBUG 4235 --- [ NioProcessor-2] o.a.s.client.session.ClientSessionImpl : sendInitialServiceRequest(ClientSessionImpl[break-glass@/192.168.1.6:5022]) Send SSH_MSG_SERVICE_REQUEST for ssh-userauth 2020-07-17 02:11:20.168 DEBUG 4235 --- [ NioProcessor-2] o.a.s.client.session.ClientSessionImpl : encode(ClientSessionImpl[break-glass@/192.168.1.6:5022]) packet #3 sending command=5[SSH_MSG_SERVICE_REQUEST] len=17 2020-07-17 02:11:20.168 DEBUG 4235 --- [ NioProcessor-2] o.a.s.client.session.ClientSessionImpl : encode(ClientSessionImpl[break-glass@/192.168.1.6:5022]) packet #4 sending command=50[SSH_MSG_USERAUTH_REQUEST] len=42 2020-07-17 02:11:20.169 DEBUG 4235 --- [ NioProcessor-2] o.a.s.client.session.ClientSessionImpl : handleNewKeys(ClientSessionImpl[break-glass@/192.168.1.6:5022]) sent 1 pending packets 2020-07-17 02:11:20.170 DEBUG 4235 --- [ NioProcessor-2] o.a.s.client.session.ClientSessionImpl : handleServiceAccept(ClientSessionImpl[break-glass@/192.168.1.6:5022]) SSH_MSG_SERVICE_ACCEPT service=ssh-userauth 2020-07-17 02:11:20.176 DEBUG 4235 --- [ NioProcessor-2] o.a.s.c.session.ClientUserAuthService: processUserAuth(ClientSessionImpl[break-glass@/192.168.1.6:5022]) Received SSH_MSG_USERAUTH_FAILURE - partial=false, methods=publickey,keyboard-interactive 2020-07-17 02:11:20.176 DEBUG 4235 --- [ NioProcessor-2] o.a.s.c.session.ClientUserAuthService: tryNext(ClientSessionImpl[break-glass@/192.168.1.6:5022]) starting authentication mechanisms: client=[publickey, keyboard-interactive, password], server=[publickey, keyboard-interactive] *Logs from the server I'm trying to authenticate:* sre-bastion-service_1 | debug3: found certificate option "permit-pty" len 0 sre-bastion-service_1 | debug1: cert: key options: pty sre-bastion-service_1 | debug1: principals: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding sre-bastion-service_1 | Accepted certificate ID "vault-approle-cb8a0183bfb86549cfe4436bb163b52b0102fece03e60ce34a9ef3b03eeb7033" (serial 5407548119571357136) signed by RSA CA SHA256:exuOZzvSLJOi9d2qcaaQtigjOI/W1zHcC+b6WN4KxAo via /etc/ssh/trusted-user-ca-keys.pem sre-bastion-service_1 | debug3: mm_answer_keyallowed: publickey authentication: RSA-CERT key is allowed sre-bastion-service_1 | debug3: mm_request_send entering: type 23 sre-bastion-service_1 | debug3: mm_sshkey_verify entering [preauth] sre-bastion-service_1 | debug3: mm_request_send entering: type 24 [preauth] sre-bastion-service_1 | debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth] sre-bastion-service_1 | debug3: mm_request_receive_expect entering: type 25 [preauth] sre-bastion-service_1 | debug3: mm_request_receive entering [preauth] sre-bastion-service_1 | debug3: mm_request_receive entering sre-bastion-service_1 | debug3: monitor_read: checking request 24 sre-bastion-service_1 | debug3: mm_answer_keyverify: publickey 0x56201808e760 signature unverified sre-bastion-service_1 | debug1: auth_activate_options: setting new authentication options sre-bastion-service_1 | debug3: mm_request_send entering: type 25 sre-bastion-service_1 | Failed publickey for break-glass from 172.21.0.1 port 35872 ssh2: RSA-CERT ID vault-approle-cb8a0183bfb86549cfe4436bb163b52b0102fece03e60ce34a9ef3b03eeb7033 (serial 5407548119571357136) CA RSA SHA256:exuOZzvSLJOi9d2qcaaQtigjOI/W1zHcC+b6WN4KxAo sre-bastion-service_1 | debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa-cert-...@openssh.com [preauth] sre-bastion-service_1 | debug3: user_specific_delay: user specific delay 0.000ms [preauth] sre-bastion-service_1 | debug3: ensure_minimum_time_since: elapsed 1.986ms, delaying 5.660ms (requested 7.646ms) [preauth] sre-bastion-service_1 | debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth] sre-bastion-service_1 | debug3: send packet: type 51 [preauth] sre-bastion-service_1 | debug3: receive packet: type 50 [preauth] Here is my code: /Create the OpenSshCertificate from the signed key from vault String[] parts = vaultSignedSshResponse.getSignedKey().trim().split(" "); //in the attachment signed-cert.txt ByteArrayBuffer bab = new ByteArrayBuffer(Base64.getDecoder().decode(parts[1])); OpenSshCertificateImpl openSshCertificate = (OpenSshCertificateImpl) bab.getRawPublicKey(); //try login using Client session Security.addProvider(new BouncyCastleProvider()); KeyPair signedKeyPair = new KeyPair(openSshCertificate, keyPair.getPrivate()); SshClient sshClient = SshClient.setUpDefaultClient(); sshClient.setServerKeyVerifier(AcceptAllServerKeyVerifier.INSTANCE); sshClient.setHostConfigEntryResolver(HostConfigEntryResolver.EMPTY); //sshClient.addPublicKeyIdentity(signedKe
[jira] [Commented] (SSHD-1037) private openssh key parsing error
[ https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17160509#comment-17160509 ] Sandeep commented on SSHD-1037: --- [~lgoldstein] [~gnodet] Here is Junit test # Generated KeyPair. # Created encrypted private key and printed on log. # then used the same string output & decoded it to get keyPair. # Its decoded successfully. # log is attached. # I tried same output format key string as input to SSHD *OpenSSHKeyPairResourceParser* but faced the same problem. Not able to identify root cause. [^junit_test_output] [^KeyGenerationTest.java] > private openssh key parsing error > - > > Key: SSHD-1037 > URL: https://issues.apache.org/jira/browse/SSHD-1037 > Project: MINA SSHD > Issue Type: Question >Reporter: Sandeep >Priority: Major > Attachments: KeyGenerationTest.java, console_log, junit_test_output, > parsing_java_method > > > Hi Team, > I am not able to parse openssh key with the help of > *OpenSSHKeyPairResourceParser* class > Java code and log is attached. > Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL > Key is as follows, > -BEGIN OPENSSH PRIVATE KEY- > b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM > JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB > gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP > o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND > 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1 > 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa > EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs > GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/ > nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw > 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP > JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy > peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a > 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m > +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw > KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP > g6SHko7U4Q== > -END OPENSSH PRIVATE KEY- > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Updated] (SSHD-1037) private openssh key parsing error
[ https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sandeep updated SSHD-1037: -- Attachment: junit_test_output > private openssh key parsing error > - > > Key: SSHD-1037 > URL: https://issues.apache.org/jira/browse/SSHD-1037 > Project: MINA SSHD > Issue Type: Question >Reporter: Sandeep >Priority: Major > Attachments: KeyGenerationTest.java, console_log, junit_test_output, > parsing_java_method > > > Hi Team, > I am not able to parse openssh key with the help of > *OpenSSHKeyPairResourceParser* class > Java code and log is attached. > Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL > Key is as follows, > -BEGIN OPENSSH PRIVATE KEY- > b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM > JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB > gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP > o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND > 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1 > 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa > EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs > GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/ > nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw > 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP > JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy > peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a > 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m > +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw > KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP > g6SHko7U4Q== > -END OPENSSH PRIVATE KEY- > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Updated] (SSHD-1037) private openssh key parsing error
[ https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sandeep updated SSHD-1037: -- Attachment: KeyGenerationTest.java > private openssh key parsing error > - > > Key: SSHD-1037 > URL: https://issues.apache.org/jira/browse/SSHD-1037 > Project: MINA SSHD > Issue Type: Question >Reporter: Sandeep >Priority: Major > Attachments: KeyGenerationTest.java, console_log, parsing_java_method > > > Hi Team, > I am not able to parse openssh key with the help of > *OpenSSHKeyPairResourceParser* class > Java code and log is attached. > Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL > Key is as follows, > -BEGIN OPENSSH PRIVATE KEY- > b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM > JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB > gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP > o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND > 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1 > 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa > EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs > GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/ > nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw > 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP > JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy > peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a > 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m > +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw > KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP > g6SHko7U4Q== > -END OPENSSH PRIVATE KEY- > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-1037) private openssh key parsing error
[ https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17160425#comment-17160425 ] Lyor Goldstein commented on SSHD-1037: -- {quote} we have used "SshKeyPairGenerator.java" class from same publickey package to generate keypair and after that we used the following code to generate OpenSSH format SshPrivateKeyFile prvfile =SshPrivateKeyFileFactory.create(pair,passphrase,comment, SshPrivateKeyFileFactory.OPENSSH_FORMAT); byte[] keyData= prvfile.getFormattedKey(); above byte array keyData string conversion gives key format that I given in above question. {quote} No doubt - but the result does not seem valid. AFAIK we can parse any key generated by {{ssh-keygen}} so it would seem that the package being used generates malformed keys... > private openssh key parsing error > - > > Key: SSHD-1037 > URL: https://issues.apache.org/jira/browse/SSHD-1037 > Project: MINA SSHD > Issue Type: Question >Reporter: Sandeep >Priority: Major > Attachments: console_log, parsing_java_method > > > Hi Team, > I am not able to parse openssh key with the help of > *OpenSSHKeyPairResourceParser* class > Java code and log is attached. > Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL > Key is as follows, > -BEGIN OPENSSH PRIVATE KEY- > b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM > JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB > gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP > o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND > 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1 > 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa > EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs > GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/ > nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw > 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP > JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy > peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a > 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m > +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw > KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP > g6SHko7U4Q== > -END OPENSSH PRIVATE KEY- > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-1037) private openssh key parsing error
[ https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17160411#comment-17160411 ] Guillaume Nodet commented on SSHD-1037: --- [~ssmali1505] could you write a junit test that generate the key and parse it ? that way, we can reproduce the problem and have a test ready for it at the same time... > private openssh key parsing error > - > > Key: SSHD-1037 > URL: https://issues.apache.org/jira/browse/SSHD-1037 > Project: MINA SSHD > Issue Type: Question >Reporter: Sandeep >Priority: Major > Attachments: console_log, parsing_java_method > > > Hi Team, > I am not able to parse openssh key with the help of > *OpenSSHKeyPairResourceParser* class > Java code and log is attached. > Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL > Key is as follows, > -BEGIN OPENSSH PRIVATE KEY- > b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM > JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB > gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP > o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND > 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1 > 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa > EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs > GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/ > nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw > 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP > JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy > peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a > 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m > +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw > KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP > g6SHko7U4Q== > -END OPENSSH PRIVATE KEY- > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org