-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support loading SSH keys serialized with 'rsa-sha2-{256,512}' as their key type string #11233
Support loading SSH keys serialized with 'rsa-sha2-{256,512}' as their key type string #11233
Conversation
124b1cb
to
1e123c3
Compare
I'm fine with supporting this, but I'd love to know some examples of software that generated keys with this prefix. 😄 |
I'm ambivalent about supporting this and have the same question:D
…On Tue, Jul 9, 2024, 3:32 PM Paul Kehrer ***@***.***> wrote:
I'm fine with supporting this, but I'd love to know some examples of
software that generated keys with this prefix. 😄
—
Reply to this email directly, view it on GitHub
<#11233 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBBYSXMLFYCHABPBRDLZLQ3FTAVCNFSM6AAAAABKTJTE4CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJYGQ4DOOBUGY>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
@reaperhulk wrote:
I wish I could tell you, but I'm uncertain myself 😅. Here is an Internet-facing server observed by Shodan which:
Quite likely keys like this get overlooked because OpenSSH itself doesn't probe them and doesn't find them. OpenSSH's own
Basically, if you ask this weird server "what is your
|
tl;dr:
|
What do other libraries, such as go's x/crypto/ssh do?
…On Tue, Jul 9, 2024 at 6:53 PM Daniel Lenski ***@***.***> wrote:
tl;dr:
- RFC-compliant SSH servers will give you the *exact same* key bytes
if you ask them "what is your ssh-rsa key?" or "what is your
rsa-sha2-{256,512} key?", with the same key-type prefix (
\0\0\0\7ssh-rsa) to the host-key bytes.
- There are weird/bad/non-compliant servers which will give you a
different prefix depending on which one you ask for.
- Given the historical baggage and inconsistency wherein different
uses have been shoehorned into the same field (public key *type* vs.
key *exchange* algorithm) this kind of inconsistent behavior seems
inevitable.
- ∴ pyca/cryptography should be able to load the weird/non-compliant
forms of the key, for maximum robustness 😃
—
Reply to this email directly, view it on GitHub
<#11233 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBAHEL6TMN3XCRO3TQTZLRSVTAVCNFSM6AAAAABKTJTE4CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJYHA3DOMBSGM>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
|
@alex wrote:
I personally have zero knowledge about the Go ecosystem, but a quick grep in the codebase shows they have a near-identical (hmmm 🤨) comment about how |
1e123c3
to
5063488
Compare
I don't understand the flake8 failure in CI. There appears to be something missing from the log. |
Just run ruff locally and it will automatically reformat. |
nox -e local will do this along with running tests btw |
…r key type string As described in RFC 8332 [1] ("Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol"): > Since RSA keys are not dependent on the choice of hash function, the > new public key algorithms reuse the "ssh-rsa" public key format as > defined in [RFC4253]: > > … > > All aspects of the "ssh-rsa" format are kept, including the encoded > string "ssh-rsa". This allows existing RSA keys to be used with the > new public key algorithms, without requiring re-encoding or affecting > already trusted key fingerprints. Some real-world SSH servers nevertheless represent their RSA public keys using the string `rsa-sha2-256` or `rsa-sha2-512` instead of `ssh-rsa`, so the library should support LOADING them for robustness. [1] https://datatracker.ietf.org/doc/html/rfc8332#section-3
5063488
to
395d82a
Compare
It is not generally our approach to be maximally accepting of non-compliant data. Absent a concrete need to support incorrect things we err on the side of standards correctness and/or minimal surface area. I'm -1 on adding support for this until/unless we find a significant real world deployment doing this wrong, although I appreciate you doing the diligence to find out the current state of the world! @alex any objections? |
I agree with Paul
…On Thu, Jul 18, 2024, 3:14 PM Paul Kehrer ***@***.***> wrote:
It is not generally our approach to be maximally accepting of
non-compliant data. Absent a concrete need to support incorrect things we
err on the side of standards correctness and/or minimal surface area. I'm
-1 on adding support for this until/unless we find a significant real world
deployment doing this wrong, although I appreciate you doing the diligence
to find out the current state of the world! @alex
<https://github.com/alex> any objections?
—
Reply to this email directly, view it on GitHub
<#11233 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBCHKFLBYVUM26DTCA3ZNAH3FAVCNFSM6AAAAABKTJTE4CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMZXGM2TGMJWGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Thanks, I do understand this point of view and the drive for adherence to standards and sanity. However, I also think that widely-used cryptographic libraries like this one ought to adhere to the robustness principle ("be liberal in what you accept as input, be conservative in what you output") in order to maximize adoption. If widely-used and carefully-implemented libraries don't support loading and using cryptographic objects in slightly-malformed but unambiguous formats, then those who encounter such formats are likely going to turn to "roll-your-own cryptography" as an alternative… and that has a long history of bad consequences. 😅 |
The robustness principle has been repudiated by many of us who work in security, see https://datatracker.ietf.org/doc/html/rfc9413 |
As described in RFC 8332 [1] ("Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell (SSH) Protocol"):
Some real-world SSH servers nevertheless represent their RSA public keys using the string
rsa-sha2-256
orrsa-sha2-512
instead ofssh-rsa
, so the library should support LOADING them for robustness.[1] https://datatracker.ietf.org/doc/html/rfc8332#section-3