[Twisted-Python] twisted.conch.checkers.SSHPublicKeyDatabase validate signature data
adi at roiban.ro
Mon Apr 22 07:35:48 EDT 2013
On 22 April 2013 12:01, Adi Roiban <adi at roiban.ro> wrote:
> In RFC 4252 http://www.ietf.org/rfc/rfc4252.txt for The Secure Shell
> (SSH) Authentication Protocol at section 7. Public Key Authentication
> Method: "publickey"
> There is the following information about SSH public key signature.
> The value of 'signature' is a signature by the corresponding private key over the following data, in the following order:
> string session identifier
> byte SSH_MSG_USERAUTH_REQUEST
> string user name
> string service name
> string "publickey"
> boolean TRUE
> string public key algorithm name
> string public key to be used for authentication
> When the server receives this message, it MUST check whether the supplied key is acceptable for authentication, and if so, it MUST check whether the signature is correct.
> The current code check that key is accepted for authentication and it also
> verifies if signature is correct.
> It does not check that session the format of the signed data, especially
> if session identifier from signed data is the same as the session of the
> the current SSH transport session.
> I also found this document describing how ssh public key authentication
> works, but it differes from the current conch.ssh userauth.py
> implementation... maybe it is for SSH v1
> Shouldn't twisted.conch.checkers.SSHPublicKeyDatabase also check that
> session id from signed data match the one from transport session?
> Maybe it does but I am not looking at the right place.
> I see that in conch/checkers.py line 167
> there is this check, which once signature is valid it just returns
> if pubKey.verify(credentials.signature,
> return credentials.username
I found out that I was wrong and I found how the signed data is generated.
Here is the imprtant part:
Sorry for the trouble!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Twisted-Python