[Twisted-Python] twisted.conch.checkers.SSHPublicKeyDatabase validate signature data

Adi Roiban adi at roiban.ro
Mon Apr 22 07:35:48 EDT 2013


On 22 April 2013 12:01, Adi Roiban <adi at roiban.ro> wrote:

> Hi,
>
> In RFC 4252 http://www.ietf.org/rfc/rfc4252.txt for The Secure Shell
> (SSH) Authentication Protocol at section 7. Public Key Authentication
> Method: "publickey"
>
> There is the following information about SSH public key signature.
>
>  The value of 'signature' is a signature by the corresponding private key over the following data, in the following order:
>
>       string    session identifier
>       byte      SSH_MSG_USERAUTH_REQUEST
>       string    user name
>       string    service name
>       string    "publickey"
>       boolean   TRUE
>       string    public key algorithm name
>       string    public key to be used for authentication
>
>    When the server receives this message, it MUST check whether the supplied key is acceptable for authentication, and if so, it MUST check whether the signature is correct.
>
> The current code check that key is accepted for authentication and it also
> verifies if signature is correct.
>
> It does not check that session the format of the signed data, especially
> if session identifier from signed data is  the same as the session of the
> the current SSH transport  session.
>
> -----
>
> I also found this document describing how ssh public key authentication
> works, but it differes from the current conch.ssh userauth.py
> implementation... maybe it is for SSH v1
> http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#chal
>
> ------
>
> Shouldn't twisted.conch.checkers.SSHPublicKeyDatabase also check that
> session id from signed data match the one from transport session?
>
> Maybe it does but I am not looking at the right place.
>
> I see that in conch/checkers.py line 167
> https://github.com/tomprince/twisted/blob/trunk/twisted/conch/checkers.py#L167
> there is this check, which once signature is valid  it just returns
> avatar_id:
>
>                 if pubKey.verify(credentials.signature,
> credentials.sigData):
>                     return credentials.username
>

I found out that I was wrong and I found how the signed data is generated.
Here is the imprtant part:
https://github.com/tomprince/twisted/blob/trunk/twisted/conch/ssh/userauth.py#L268



Sorry for the trouble!
-- 
Adi Roiban
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20130422/7e40ecb8/attachment.htm 


More information about the Twisted-Python mailing list