Bug 1493406
| Summary: | Regression: SSH authorized_keys now has strict syntax WRT to spaces | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Stef Walter <stefw> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | medium | ||
| Version: | 7.4 | CC: | mpitt, nmavrogi |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Known Issue | |
| Doc Text: |
Parsing of *OpenSSH* public keys is more strict
Previously, the parsing of public keys was changed to be more strict. As a consequence, additional spaces between the key type string and the key blob string are no longer ignored, and login attempts with such keys now fail. To work around this problem, ensure that there is only one space character between the key type and the key blob.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-02-11 15:39:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Stef Walter
2017-09-20 06:46:27 UTC
Hmmm, I pasted bad. Here's an authorized_key line that used to work, but no longer does: ssh-rsa AAAAB3NzaC1yc2EAAAAB.... blah Here's an authorized_key line that works on both old and now openssh: ssh-rsa AAAAB3NzaC1yc2EAAAAB.... blah This change was introduced in 2014 (openssh-6.7) with the commit [1], in (ssh)key.c method (ssh)key_read(), which is parsing the public key from buffer. The old uudecode() method was replaced by the new sshbuf_b64tod() buffer call. The first method was skipping leading and trailing whitespace, but the second one is not (also it is already getting a "zero-length buffer" as an argument -- strchr(cp, ' ') returns the immediately following space).
The fix can look like introducing the skipping of the whitespace in the sshkey_read() function, but as already mentioned, I am not sure how 3 years old bug will be accepted. Though lets give it a try. The following patch will allow me reading the keys with more whitespace characters between key identificator and the key blob:
diff --git a/sshkey.c b/sshkey.c
index fe874043..f5cf3bef 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1210,6 +1210,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
return SSH_ERR_KEY_TYPE_MISMATCH;
if ((blob = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
+ /* skip whitespace */
+ for (; *cp == ' ' || *cp == '\t'; cp++)
+ ;
/* trim comment */
space = strchr(cp, ' ');
if (space) {
Let's see upstream opinions.
[1] https://github.com/openssh/openssh-portable/commit/8668706d
*** Bug 1498614 has been marked as a duplicate of this bug. *** FYI, this was fixed upstream and will be in OpenSSH 7.7 release, but in rather more complicated form than I proposed. We will probably not be able to backport the upstream fix, because it depends on removing the SSHv1 keys, but we might be able to achieve something similar if we would consider this as important enough. This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. |