oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

From: Andres Freund <andres () anarazel de>
Date: Sat, 30 Mar 2024 15:01:31 -0700
Hi,

On 2024-03-30 22:46:17 +0100, Axel Beckert wrote:

On Sat, Mar 30, 2024 at 12:48:50PM -0700, Andres Freund wrote:

FWIW, RSA_public_decrypt is reachable, regardless of server configuration,
when using certificate based authentication.

             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Wait, do you really mean SSH keys verified by certificates issued by a
(usually internal, SSH-specific) certificate authority (CA) for a key?

See e.g.
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication
what certificate-based authentication in SSH actually means.

From my experience certificate-based SSH authentication (i.e. those
algorithms with *-cert-* in their names) is rather rare, while simple
public key authentication (where you just put your according pubkey
into .ssh/authorized_keys) is very common.

Can you clarify if you really meant that solely certificate based
authentication (with certificates issued by a CA) triggers that code
path or if you actually meant all sorts of public key based
authentication in general?


I meant CA based auth - but note that, from what I can tell, you don't need to
have it set up on the server side or anything. You might not even be able to
disable it. If the client sends a signed key, the signature is loaded and
verified before approved algorithms are checked.

This seems suboptimal regardless of the backdoor issue, so I opened an
enhancement request for openssh: https://bugzilla.mindrot.org/show_bug.cgi?id=3675

I might be misreading the code around some of the details, but I did
experimentally verify that an rsa signature is verified without CA auth being
configured.

Greetings,

Andres Freund
Previous By Date Next
Previous By Thread Next

Current thread: