[Twisted-Python] twisted.conch.checkers.SSHPublicKeyDatabase validate signature data

Adi Roiban adi at roiban.ro
Mon Apr 22 03:01:52 MDT 2013 

Hi,

In RFC 4252 http://www.ietf.org/rfc/rfc4252.txt for The Secure Shell (SSH)
Authentication Protocol at section 7. Public Key Authentication Method:
"publickey"

There is the following information about SSH public key signature.

 The value of 'signature' is a signature by the corresponding private
key over the following data, in the following order:

      string    session identifier
      byte      SSH_MSG_USERAUTH_REQUEST
      string    user name
      string    service name
      string    "publickey"
      boolean   TRUE
      string    public key algorithm name
      string    public key to be used for authentication

   When the server receives this message, it MUST check whether the
supplied key is acceptable for authentication, and if so, it MUST
check whether the signature is correct.

The current code check that key is accepted for authentication and it also
verifies if signature is correct.

It does not check that session the format of the signed data, especially if
session identifier from signed data is  the same as the session of the the
current SSH transport  session.

-----

I also found this document describing how ssh public key authentication
works, but it differes from the current conch.ssh userauth.py
implementation... maybe it is for SSH v1
http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#chal

------

Shouldn't twisted.conch.checkers.SSHPublicKeyDatabase also check that
session id from signed data match the one from transport session?

Maybe it does but I am not looking at the right place.

I see that in conch/checkers.py line 167
https://github.com/tomprince/twisted/blob/trunk/twisted/conch/checkers.py#L167
there is this check, which once signature is valid  it just returns
avatar_id:

                if pubKey.verify(credentials.signature,
credentials.sigData):
                    return credentials.username

Thanks!

-- 
Adi Roiban
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20130422/39a6ba35/attachment.html>

More information about the Twisted-Python mailing list