Enforce SHA-512 for RSA SSH signatures #3777
Conversation
|
@awly Releases of OpenSSH below 7.2 will not support SHA-512 signed certificates. The good news is that Ubuntu 16.04+, CentOS 7+, and macOS 10.12 (Sierra) all have releases greater than OpenSSH 7.2. The bad news is that CentOS 6 has an older release and we have customers still on CentOS 6. This means we'll have to add a flag to tell the Auth Server to continue issuing I like making this the default behavior, but we should do some more testing around compatibility before we make it the default behavior. We don't want someone to upgrade their cluster and no longer have access to it. |
Ahh, ok. It's unfortunate that we support outdated OSs and integration with outdated userspace software on them. I'll add a config file field, next to the other crypto settings we have. OpenSSH has a similar field called |
awly
force-pushed
the
andrew/ssh-rsa-sha2-signer
branch
from
07a2150
to
0896943
Compare
|
@russjones PTAL I added a config field for this, which defaults to SHA-512.
|
lib/service/cfg.go
Outdated
| @@ -479,6 +484,7 @@ func ApplyDefaults(cfg *Config) { | |||
| cfg.Ciphers = sc.Ciphers | |||
| cfg.KEXAlgorithms = kex | |||
| cfg.MACAlgorithms = macs | |||
| cfg.CASignatureAlgorithm = ssh.SigAlgoRSASHA2512 | |||
There was a problem hiding this comment.
It looks like if you don't specify this argument, you get opted into rsa-sha2-512?
I'm concerned about the long tail of clients and breaking peoples clusters. I'm thinking the safest path forward would be the following:
- For new clusters, start out with
rsa-sha2-512. Support downgrading tossh-rsaif needed for compatibility reasons. - For existing clusters, continue to use the existing algorithm, but log a warning about the dangers of using an insecure algorithm with a link to documentation explaining how to upgrade cluster.
This way we don't surprise any cluster administrators. What do you think?
|
For existing clusters - preserve signature type. Log warnings in tctl in teleport. |
awly
force-pushed
the
andrew/ssh-rsa-sha2-signer
branch
3 times, most recently
from
c662637
to
4caf9cb
Compare
|
OK, reworked this per our convo with @russjones
PTAL |
awly
force-pushed
the
andrew/ssh-rsa-sha2-signer
branch
from
4caf9cb
to
9ec4435
Compare
|
Good thing we had those integration tests! This check on the server side of the handshake is preventing our new signing algorithm. There doesn't seem to be a way around it. Which means that:
And I'm pretty sure the way I change cert signing is against the spec (SSH certs should be using formats like This leaves us with 3 options:
Need to think through this some more... |
awly
force-pushed
the
andrew/ssh-rsa-sha2-signer
branch
from
9ec4435
to
c7837e4
Compare
|
OK, I reverted the changes that affect SSH handshakes. This is option No.3. This also unblocks 4.3 testing, since currently |
Motivation:
x/crypto/ssh defaults to using SHA-1 for signatures:
https://github.com/golang/crypto/blob/master/ssh/keys.go#L963-L982
Because Teleport uses RSA for user, host and CA keys, we end up with
SHA-1 by default.
SHA-1 is now considered weak and OpenSSH plans to deprecate it:
https://www.openssh.com/txt/release-8.3
Fix:
Wrap all RSA `ssh.Signer`s and override `SignWithAlgorithm` to
provide `SigAlgoRSASHA2512` if not otherwise specified. This will
only affect new certs, existing certs will use `SigAlgoRSA` until
rotated. For CA certs (e.g. exported with `tctl auth export`) users
might need to manually rotate.
Limited local testing with openssh 8.2 client and
`-oHostKeyAlgorithms=-ssh-rsa` confirms that this works with a new
cluster and fails with an old one.
This allows users to override the SHA2 signing algorithms we default to now for compatibility with the (very) old OpenSSH versions. For host and user certs, use the CA signing algo for their own handshakes. This allows us to propagate the signing algo from auth server everywhere else.
Store the signing algorithm along the CA private key. When reading old CAs that don't have it set, default to UNKNOWN proto enum which corresponds to the old SHA1-based signing alg. The only time you get a SHA2 signature is when creating a fresh cluster and generating a new CA. This can be disabled in the config.
This allows users to manually switch to a different algorithm by: - setting the config file field - running "tctl auth rotate" If config file field is not set, existing signing algorithm of the CA is preserved.
connectedPeer is used as reversetunnel.Site outside of the package. Its connInfo field must be synchronized.
It's no longer needed, since CertAuthority contains the signing algorithm internally.
Also fix a few bugs along the way.
Previously we matched the public key type for only plain public key authn.
x/crypto/ssh does not support SHA2 signatures for handshakes yet. We'll keep using SHA2 for cert signing, but handshakes have to wait.
awly
force-pushed
the
andrew/ssh-rsa-sha2-signer
branch
from
c7837e4
to
0d49b29
Compare
This is a squashed version of #3777.
This is a squashed version of #3777.
This is a squashed version of #3777.
Motivation:
Fix:
I somewhat blindly wrapped all non-test places where we create
ssh.Signers. If you think there's unnecessary calls or missing ones, please comment.Limited local testing with openssh 8.2 client and
-oHostKeyAlgorithms=-ssh-rsaconfirms that this works with a newcluster and fails with an old one.
Fixes #3742