[Twisted-Python] twisted.conch.checkers.SSHPublicKeyDatabase validate signature data
adi at roiban.ro
Mon Apr 22 05:01:52 EDT 2013
In RFC 4252 http://www.ietf.org/rfc/rfc4252.txt for The Secure Shell (SSH)
Authentication Protocol at section 7. Public Key Authentication Method:
There is the following information about SSH public key signature.
The value of 'signature' is a signature by the corresponding private
key over the following data, in the following order:
string session identifier
string user name
string service name
string public key algorithm name
string public key to be used for authentication
When the server receives this message, it MUST check whether the
supplied key is acceptable for authentication, and if so, it MUST
check whether the signature is correct.
The current code check that key is accepted for authentication and it also
verifies if signature is correct.
It does not check that session the format of the signed data, especially if
session identifier from signed data is the same as the session of the the
current SSH transport session.
I also found this document describing how ssh public key authentication
works, but it differes from the current conch.ssh userauth.py
implementation... maybe it is for SSH v1
Shouldn't twisted.conch.checkers.SSHPublicKeyDatabase also check that
session id from signed data match the one from transport session?
Maybe it does but I am not looking at the right place.
I see that in conch/checkers.py line 167
there is this check, which once signature is valid it just returns
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Twisted-Python