Key verification failing using OpenSshCertificateImpl
Hello,
I'm trying to authenticate from my client using apache mina - 2.5.1 using
OpenSsh Certificate.
I have a signed Certificate which I parsed using OpenSshCertificateImpl and
created a KeyPair out of it.
However the auth fails with:
2020-07-17 02:11:20.168DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl :
sendInitialServiceRequest(ClientSessionImpl[break-glass@/192.168.1.6:5022])
Send SSH_MSG_SERVICE_REQUEST for ssh-userauth
2020-07-17 02:11:20.168 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl :
encode(ClientSessionImpl[break-glass@/192.168.1.6:5022]) packet #3 sending
command=5[SSH_MSG_SERVICE_REQUEST] len=17
2020-07-17 02:11:20.168 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl :
encode(ClientSessionImpl[break-glass@/192.168.1.6:5022]) packet #4 sending
command=50[SSH_MSG_USERAUTH_REQUEST] len=42
2020-07-17 02:11:20.169 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl :
handleNewKeys(ClientSessionImpl[break-glass@/192.168.1.6:5022]) sent 1
pending packets
2020-07-17 02:11:20.170 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.client.session.ClientSessionImpl :
handleServiceAccept(ClientSessionImpl[break-glass@/192.168.1.6:5022])
SSH_MSG_SERVICE_ACCEPT service=ssh-userauth
2020-07-17 02:11:20.176 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.c.session.ClientUserAuthService:
processUserAuth(ClientSessionImpl[break-glass@/192.168.1.6:5022]) Received
SSH_MSG_USERAUTH_FAILURE - partial=false,
methods=publickey,keyboard-interactive
2020-07-17 02:11:20.176 DEBUG 4235 --- [ NioProcessor-2]
o.a.s.c.session.ClientUserAuthService:
tryNext(ClientSessionImpl[break-glass@/192.168.1.6:5022]) starting
authentication mechanisms: client=[publickey, keyboard-interactive,
password], server=[publickey, keyboard-interactive]
*Logs from the server I'm trying to authenticate:*
sre-bastion-service_1 | debug3: found certificate option "permit-pty" len 0
sre-bastion-service_1 | debug1: cert: key options: pty
sre-bastion-service_1 | debug1: principals: key options: agent-forwarding
port-forwarding pty user-rc x11-forwarding
sre-bastion-service_1 | Accepted certificate ID
"vault-approle-cb8a0183bfb86549cfe4436bb163b52b0102fece03e60ce34a9ef3b03eeb7033"
(serial 5407548119571357136) signed by RSA CA
SHA256:exuOZzvSLJOi9d2qcaaQtigjOI/W1zHcC+b6WN4KxAo via
/etc/ssh/trusted-user-ca-keys.pem
sre-bastion-service_1 | debug3: mm_answer_keyallowed: publickey
authentication: RSA-CERT key is allowed
sre-bastion-service_1 | debug3: mm_request_send entering: type 23
sre-bastion-service_1 | debug3: mm_sshkey_verify entering [preauth]
sre-bastion-service_1 | debug3: mm_request_send entering: type 24 [preauth]
sre-bastion-service_1 | debug3: mm_sshkey_verify: waiting for
MONITOR_ANS_KEYVERIFY [preauth]
sre-bastion-service_1 | debug3: mm_request_receive_expect entering: type
25 [preauth]
sre-bastion-service_1 | debug3: mm_request_receive entering [preauth]
sre-bastion-service_1 | debug3: mm_request_receive entering
sre-bastion-service_1 | debug3: monitor_read: checking request 24
sre-bastion-service_1 | debug3: mm_answer_keyverify: publickey
0x56201808e760 signature unverified
sre-bastion-service_1 | debug1: auth_activate_options: setting new
authentication options
sre-bastion-service_1 | debug3: mm_request_send entering: type 25
sre-bastion-service_1 | Failed publickey for break-glass from 172.21.0.1
port 35872 ssh2: RSA-CERT ID
vault-approle-cb8a0183bfb86549cfe4436bb163b52b0102fece03e60ce34a9ef3b03eeb7033
(serial 5407548119571357136) CA RSA
SHA256:exuOZzvSLJOi9d2qcaaQtigjOI/W1zHcC+b6WN4KxAo
sre-bastion-service_1 | debug2: userauth_pubkey: authenticated 0 pkalg
ssh-rsa-cert-...@openssh.com [preauth]
sre-bastion-service_1 | debug3: user_specific_delay: user specific delay
0.000ms [preauth]
sre-bastion-service_1 | debug3: ensure_minimum_time_since: elapsed
1.986ms, delaying 5.660ms (requested 7.646ms) [preauth]
sre-bastion-service_1 | debug3: userauth_finish: failure partial=0 next
methods="publickey,keyboard-interactive" [preauth]
sre-bastion-service_1 | debug3: send packet: type 51 [preauth]
sre-bastion-service_1 | debug3: receive packet: type 50 [preauth]
Here is my code:
/Create the OpenSshCertificate from the signed key from vault
String[] parts = vaultSignedSshResponse.getSignedKey().trim().split("
"); //in the attachment signed-cert.txt
ByteArrayBuffer bab = new ByteArrayBuffer(Base64.getDecoder().decode(parts[1]));
OpenSshCertificateImpl openSshCertificate = (OpenSshCertificateImpl)
bab.getRawPublicKey();
//try login using Client session
Security.addProvider(new BouncyCastleProvider());
KeyPair signedKeyPair = new KeyPair(openSshCertificate, keyPair.getPrivate());
SshClient sshClient = SshClient.setUpDefaultClient();
sshClient.setServerKeyVerifier(AcceptAllServerKeyVerifier.INSTANCE);
sshClient.setHostConfigEntryResolver(HostConfigEntryResolver.EMPTY);
//sshClient.addPublicKeyIdentity(signedKe
[jira] [Commented] (SSHD-1037) private openssh key parsing error
[ https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17160509#comment-17160509 ] Sandeep commented on SSHD-1037: --- [~lgoldstein] [~gnodet] Here is Junit test # Generated KeyPair. # Created encrypted private key and printed on log. # then used the same string output & decoded it to get keyPair. # Its decoded successfully. # log is attached. # I tried same output format key string as input to SSHD *OpenSSHKeyPairResourceParser* but faced the same problem. Not able to identify root cause. [^junit_test_output] [^KeyGenerationTest.java] > private openssh key parsing error > - > > Key: SSHD-1037 > URL: https://issues.apache.org/jira/browse/SSHD-1037 > Project: MINA SSHD > Issue Type: Question >Reporter: Sandeep >Priority: Major > Attachments: KeyGenerationTest.java, console_log, junit_test_output, > parsing_java_method > > > Hi Team, > I am not able to parse openssh key with the help of > *OpenSSHKeyPairResourceParser* class > Java code and log is attached. > Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL > Key is as follows, > -BEGIN OPENSSH PRIVATE KEY- > b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM > JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB > gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP > o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND > 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1 > 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa > EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs > GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/ > nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw > 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP > JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy > peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a > 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m > +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw > KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP > g6SHko7U4Q== > -END OPENSSH PRIVATE KEY- > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Updated] (SSHD-1037) private openssh key parsing error
[ https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sandeep updated SSHD-1037: -- Attachment: junit_test_output > private openssh key parsing error > - > > Key: SSHD-1037 > URL: https://issues.apache.org/jira/browse/SSHD-1037 > Project: MINA SSHD > Issue Type: Question >Reporter: Sandeep >Priority: Major > Attachments: KeyGenerationTest.java, console_log, junit_test_output, > parsing_java_method > > > Hi Team, > I am not able to parse openssh key with the help of > *OpenSSHKeyPairResourceParser* class > Java code and log is attached. > Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL > Key is as follows, > -BEGIN OPENSSH PRIVATE KEY- > b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM > JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB > gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP > o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND > 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1 > 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa > EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs > GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/ > nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw > 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP > JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy > peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a > 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m > +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw > KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP > g6SHko7U4Q== > -END OPENSSH PRIVATE KEY- > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Updated] (SSHD-1037) private openssh key parsing error
[ https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sandeep updated SSHD-1037: -- Attachment: KeyGenerationTest.java > private openssh key parsing error > - > > Key: SSHD-1037 > URL: https://issues.apache.org/jira/browse/SSHD-1037 > Project: MINA SSHD > Issue Type: Question >Reporter: Sandeep >Priority: Major > Attachments: KeyGenerationTest.java, console_log, parsing_java_method > > > Hi Team, > I am not able to parse openssh key with the help of > *OpenSSHKeyPairResourceParser* class > Java code and log is attached. > Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL > Key is as follows, > -BEGIN OPENSSH PRIVATE KEY- > b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM > JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB > gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP > o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND > 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1 > 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa > EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs > GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/ > nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw > 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP > JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy > peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a > 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m > +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw > KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP > g6SHko7U4Q== > -END OPENSSH PRIVATE KEY- > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-1037) private openssh key parsing error
[
https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17160425#comment-17160425
]
Lyor Goldstein commented on SSHD-1037:
--
{quote}
we have used "SshKeyPairGenerator.java" class from same publickey package to
generate keypair and after that we used the following code to generate OpenSSH
format
SshPrivateKeyFile prvfile
=SshPrivateKeyFileFactory.create(pair,passphrase,comment,
SshPrivateKeyFileFactory.OPENSSH_FORMAT);
byte[] keyData= prvfile.getFormattedKey();
above byte array keyData string conversion gives key format that I given in
above question.
{quote}
No doubt - but the result does not seem valid. AFAIK we can parse any key
generated by {{ssh-keygen}} so it would seem that the package being used
generates malformed keys...
> private openssh key parsing error
> -
>
> Key: SSHD-1037
> URL: https://issues.apache.org/jira/browse/SSHD-1037
> Project: MINA SSHD
> Issue Type: Question
>Reporter: Sandeep
>Priority: Major
> Attachments: console_log, parsing_java_method
>
>
> Hi Team,
> I am not able to parse openssh key with the help of
> *OpenSSHKeyPairResourceParser* class
> Java code and log is attached.
> Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL
> Key is as follows,
> -BEGIN OPENSSH PRIVATE KEY-
> b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM
> JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB
> gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP
> o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND
> 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1
> 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa
> EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs
> GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/
> nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw
> 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP
> JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy
> peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a
> 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m
> +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw
> KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP
> g6SHko7U4Q==
> -END OPENSSH PRIVATE KEY-
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-1037) private openssh key parsing error
[ https://issues.apache.org/jira/browse/SSHD-1037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17160411#comment-17160411 ] Guillaume Nodet commented on SSHD-1037: --- [~ssmali1505] could you write a junit test that generate the key and parse it ? that way, we can reproduce the problem and have a test ready for it at the same time... > private openssh key parsing error > - > > Key: SSHD-1037 > URL: https://issues.apache.org/jira/browse/SSHD-1037 > Project: MINA SSHD > Issue Type: Question >Reporter: Sandeep >Priority: Major > Attachments: console_log, parsing_java_method > > > Hi Team, > I am not able to parse openssh key with the help of > *OpenSSHKeyPairResourceParser* class > Java code and log is attached. > Passwork of key is : RoldWtzuRB089Dztx7MmsIxe799c2MIL > Key is as follows, > -BEGIN OPENSSH PRIVATE KEY- > b3BlbnNzaC1rZXktdjEACmFlczEyOC1jYmMGYmNyeXB0GBAM > JEJgXHPG6QrP1OWVzu6TEAEAAACXB3NzaC1yc2EDAQAB > gQCqpdnaIOxhfmKQbiM3TtJPOofzCeQ0tC5jUyB/jEo2BLg8FZ0I/LNm0gSVD9DP > o/EJbFsHHGtX8iSB2t2mdszaJd1PX3e/5qEFm7P0tbqhp4sI+dgV+X3wvjADYBND > 6PS44vTgd9MY8zyB24wDoj5gRM/w/FW67EtgwTdYzmExtwAAAfFLV4x18tC9tXX1 > 5nBqQuHpZezdrY3z2MS5cq8eb8o/+CdHvlBtjvcob8Stm8+3QXx7HMRDhoZhn+Pa > EufIsRZ5Ta4XseJ2ukDeEzVZSa7hRrR56B3UUGhvKPEyMcQu33xH0/wsqoO8cmBs > GxqDKSRBw26lj7OFZT7cIgsv/zAr67Q+ycX7OpXa8TlKZw3qrO1HZXNkZtY4ooO/ > nDuDfmOKVlbZ4HWcPXpcbojI6r0LLOhte4czLv3sQskEkJkzlnG62oLA2zrpvGlw > 7u/uOtvuWNTwwFxJfQwwpiZRuACJIpyEJsTA+156SG0X+AIpAy8b6l3cOTLo00EP > JbW20l8K+DdMvT0RWr895KaI7vcs30JeFmysm8eMKTUdVDgu2Sy8Qd/1GMhi1AZy > peUWzvQNjauSwDoyJka5go0gUOa1biCl9o67Oy07estHnfeoK8NGcjmv14U1BP2a > 0KzazesOxvbalr6hlgq1DAVTvpSRw1vAAx4xE1RrVA3qNMcFf3W8tOf7WQCO9J5m > +o31L5Wiuh9uvPGN7tLbR1eOuwYMH7ICz0Ydvfkg5UFaFIYz8pUInLFFFle/YUMw > KEtFrJKYItON25XcpqciorilWXJw0BdK7w/aeHoOVxOQer2PSj36J/jn0oC64guP > g6SHko7U4Q== > -END OPENSSH PRIVATE KEY- > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
