Skip to content

Commit

Permalink
Keep using the default (ssh-rsa) signing algo for SSH handshakes
Browse files Browse the repository at this point in the history 
x/crypto/ssh does not support SHA2 signatures for handshakes yet. We'll
keep using SHA2 for cert signing, but handshakes have to wait.
  • Loading branch information
@awly
Andrew Lytvynov authored and awly committed Jun 24, 2020
1 parent a32ed8b commit d326010
Show file tree
Hide file tree
Showing 6 changed files with 5 additions and 26 deletions.
6 changes: 1 addition & 5 deletions lib/auth/init.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -790,7 +790,7 @@ func ReadTLSIdentityFromKeyPair(keyBytes, certBytes []byte, caCertsBytes [][]byt
return identity, nil
}

// ReadSSHIdentityFromKeyPair reads identity from initialized keypair.
// ReadSSHIdentityFromKeyPair reads identity from initialized keypair
func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error) {
if len(keyBytes) == 0 {
return nil, trace.BadParameter("PrivateKey: missing private key")
Expand All @@ -814,10 +814,6 @@ func ReadSSHIdentityFromKeyPair(keyBytes, certBytes []byte) (*Identity, error) {
if err != nil {
return nil, trace.BadParameter("failed to parse private key: %v", err)
}
// Inherit the cert signature algorithm from CA signature.
// Whatever auth server decided to use for SSH cert signing should be used
// by the resulting certs for signing.
signer = sshutils.AlgSigner(signer, cert.Signature.Format)
// this signer authenticates using certificate signed by the cert authority
// not only by the public key
certSigner, err := ssh.NewCertSigner(cert, signer)
Expand Down
5 changes: 0 additions & 5 deletions lib/client/interfaces.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ import (
"github.com/gravitational/teleport"
"github.com/gravitational/teleport/lib/auth"
"github.com/gravitational/teleport/lib/auth/native"
"github.com/gravitational/teleport/lib/sshutils"
"github.com/gravitational/teleport/lib/tlsca"
"github.com/gravitational/teleport/lib/utils"

Expand Down Expand Up @@ -246,10 +245,6 @@ func (k *Key) AsAuthMethod() (ssh.AuthMethod, error) {
if signer, err = ssh.NewCertSigner(keys[0].Certificate, signer); err != nil {
return nil, trace.Wrap(err)
}
// Inherit the cert signature algorithm from CA signature.
// Whatever auth server decided to use for SSH cert signing should be used
// by the resulting certs for signing.
signer = sshutils.AlgSigner(signer, keys[0].Certificate.Signature.Format)
return NewAuthMethodForCert(signer), nil
}

Expand Down
7 changes: 3 additions & 4 deletions lib/client/keyagent.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -435,12 +435,11 @@ func (a *LocalKeyAgent) AuthMethods() (m []ssh.AuthMethod) {
}
// for every certificate create a new "auth method" and return them
m = make([]ssh.AuthMethod, 0)
for _, s := range signers {
for i := range signers {
// filter out non-certificates (like regular public SSH keys stored in the SSH agent):
crt, ok := s.PublicKey().(*ssh.Certificate)
_, ok := signers[i].PublicKey().(*ssh.Certificate)
if ok {
s = sshutils.AlgSigner(s, crt.Signature.Format)
m = append(m, NewAuthMethodForCert(s))
m = append(m, NewAuthMethodForCert(signers[i]))
}
}
return m
Expand Down
5 changes: 0 additions & 5 deletions lib/reversetunnel/cache.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ import (
"github.com/gravitational/teleport/lib/auth"
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/sshca"
"github.com/gravitational/teleport/lib/sshutils"

"github.com/gravitational/trace"
"github.com/gravitational/ttlmap"
Expand Down Expand Up @@ -163,10 +162,6 @@ func (c *certificateCache) generateHostCert(principals []string) (ssh.Signer, er
if !ok {
return nil, trace.BadParameter("not a certificate")
}
// Inherit the cert signature algorithm from CA signature.
// Whatever auth server decided to use for SSH cert signing should be used
// by the resulting certs for signing.
privateKey = sshutils.AlgSigner(privateKey, cert.Signature.Format)

// return a ssh.Signer
s, err := ssh.NewCertSigner(cert, privateKey)
Expand Down
4 changes: 1 addition & 3 deletions lib/service/service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -625,9 +625,7 @@ func NewTeleport(cfg *Config) (*TeleportProcess, error) {
precomputeCount = 0
}
var err error
cfg.Keygen, err = native.New(process.ExitContext(),
native.PrecomputeKeys(precomputeCount),
)
cfg.Keygen, err = native.New(process.ExitContext(), native.PrecomputeKeys(precomputeCount))
if err != nil {
return nil, trace.Wrap(err)
}
Expand Down
4 changes: 0 additions & 4 deletions lib/sshutils/signer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,6 @@ func NewSigner(keyBytes, certBytes []byte) (ssh.Signer, error) {
if !ok {
return nil, trace.BadParameter("expected SSH certificate, got %T ", pubkey)
}
// Inherit the cert signature algorithm from CA signature.
// Whatever auth server decided to use for SSH cert signing should be used
// by the resulting certs for signing.
keySigner = AlgSigner(keySigner, cert.Signature.Format)

return ssh.NewCertSigner(cert, keySigner)
}
Expand Down

0 comments on commit d326010

Please sign in to comment.