[ssh_x509] SSHX509 upgrade issue

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Jun 17 12:39:03 EEST 2017


Hello Mudassir ,


ssh_x509 at roumenpetrov.info wrote:
> Hi Roumen
>
> yes, its with X509 EC keys and we installed the latest release on both
> client and server. the previous one was PKIX-SSH 0.8, although that
PKIX-SSH 8.0 includes OpenSSH 6.6p1 and 8.2 includes OpenSSH 6.7p1 .

> installation is on older version

I'm not able to reproduce issue.

Server log 10.2(++current development) shows
......
debug1: Client protocol version 2.0; client software version OpenSSH_6.6 
PKIX
debug1: match: OpenSSH_6.6 PKIX pat OpenSSH_6.5*,OpenSSH_6.6* compat 
0x14000000
debug1: x.509 compatibility rfc6187_missing_key_identifier=yes: pattern 
'OpenSSH*' match 'OpenSSH_6.6 PKIX'
debug1: x.509 compatibility rfc6187_asn1_opaque_ecdsa_signature=yes: 
pattern 'OpenSSH*' match 'OpenSSH_6.6 PKIX'
debug1: x.509 compatibility broken list with accepted publickey 
algorithms=no: pattern 'OpenSSH*PKIX*' match 'OpenSSH_6.6 PKIX'
debug1: Local version string SSH-2.0-OpenSSH_7.5 PKIX[X.Yb0] Local 
PerSoNaL TeSTs
......
... (Above mean that is detected broken encoding of key blob - 
"rfc6187_missing_key_identifier=yes")
......
debug2: input_userauth_request: try method publickey
debug3: Xkey_from_blob() pkalg='x509v3-ecdsa-sha2-nistp256', blen=3538
debug3: X509key_from_buf2_common: certificate-count: 2
.......
... (due to compatibility flag "rfc6187_missing_key_identifier=yes" key 
blob is read differently)
......
... (then the log continue with:)
debug3: ssh_x509_verify:  key alg/type/name: 
x509v3-ecdsa-sha2-nistp256/ECDSA+cert/x509v3-ecdsa-sha2-nistp256
debug3: ssh_x509_verify: compatibility: { 0x14000000, 0x00000003 }
debug3: ssh_x509_verify: signature name = ecdsa-sha2-nistp256
debug3: ssh_x509_verify: md=ssh-sha256, loc=0
.......
Accepted publickey for rumen from 127.0.0.1 port 56784 ssh2: ECDSA+cert 
SHA256:.....
......

> so what should I do to fix this issue ?
Not reproducible :(

> is their a way to properly upgrade or we should install it in the  using
> configure, make, make install
Yes this is way or from package and to restart server and/or agent.

> Regards,
> Mudassir
>
> On Tue, Jun 13, 2017 at 11:26 AM, <ssh_x509 at roumenpetrov.info> wrote:
>
>> ssh_x509 at roumenpetrov.info wrote:
>>
>>> Hi Roumen,
>>>
>>> I have upgraded SSH x509 from
>>>
>>> OpenSSH_6.5p1, OpenSSL 1.0.2g  1 Mar 2016
>>>
>>> to
>>>
>>> PKIX-SSH 10.2, OpenSSH_7.5p1, OpenSSL 1.0.1f 6 Jan 2014
>>>
>>>
>>> after upgrade, we're getting following error, any ideA ?
>>>
>>> X509key_from_buf2_common: the number of X.509 certificates exceed
>>> limit(813826572 > 100)
>>> ssh_dispatch_run_fatal: Connection to 10.10.xx.xx port 2222: invalid
>>> format

In you case error is "... limit(813826572 > 100) ..."
So number 813826572 correspond to hex bytes 30 82 02 0C . This look like 
ASN1 sequence (if I read properly) :
0x30 tag for sequence
  0x82 length of value
   0x02 integer type
    0x0C length of integer (?!?)
No idea what is encoded here.

It is not rfc6187 key neither in correct or broken format .

Roumen




More information about the ssh_x509 mailing list