x/crypto/ssh: SSH Client fails handshake when using publickey method

[0x7f]

Go version

go version go1.22.1 darwin/arm64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/max/Library/Caches/go-build'
GOENV='/Users/max/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/max/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/max/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.22.1/libexec'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.22.1/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.22.1'
GCCGO='gccgo'
AR='ar'
CC='cc'
CXX='c++'
CGO_ENABLED='1'
GOMOD='/Users/max/Code/sandbox/ssh-authentication-bug/client/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/1m/z4zys8c11n92mxs598p0hc1r0000gn/T/go-build3310712318=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

I'm building a SSH server using the Node.js library https://github.com/mscdex/ssh2 and I'm building the SSH client using the x/crypto/ssh library. The client aborts the SSH handshake when using the publickey authentication method.

I built an example project including server and client here: https://github.com/0x7f/ssh-authentication-bug

What did you see happen?

Even though the server offers [publickey] authentication methods when initiating the handshake with authentication method none, the client fails to connect. The client uses the publickey method and offers the key, and the server accepts the key, but the client still prints the error:

2024/03/21 09:07:40 Failed to dial: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain

What did you expect to see?

When using OpenSSH client, it connects successfully. I would expect the same from the Golang x/crypto/ssh client.

Maybe related to #64785

[dr2chase]

@golang/security

[0x7f]

Quick not about findings from the issue over at ssh2 (the Node.js SSH2 server library). When switching from RSA to ED25519 keys, the handshake works as expected. So seems the issue is related to RSA keys somehow.

[gopherbot]

Change https://go.dev/cl/573360 mentions this issue: ssh: validate key type in SSH_MSG_USERAUTH_PK_OK response

[drakkan]

@0x7f thank you for providing a reproducer. I think the linked CL fixes the reported issue. Can you please confirm?

According to RFC 4252 Section 7 the algorithm in SSH_MSG_USERAUTH_REQUEST should match that of the request, so our code was correct, but some server send the key type instead.

OpenSSH checks the key type (maybe to avoid problems with these buggy servers) so I think we should do the same

[omgitsotis]

I ran into this problem too. Through some gross debugging I found that it was failing here. My public key algo was ssh-rsa and the server algo was rsa-sha2-256, as they weren't the same, it returned false here.

I managed to get around it by changing the code (I forked the repo to unblock myself) to check if the algo matched any of the algos returned in algorithmsForKeyFormat(msg.Algo). Not sure if it is the right thing to do here though.

[drakkan]

I ran into this problem too. Through some gross debugging I found that it was failing here. My public key algo was ssh-rsa and the server algo was rsa-sha2-256, as they weren't the same, it returned false here.

I managed to get around it by changing the code (I forked the repo to unblock myself) to check if the algo matched any of the algos returned in algorithmsForKeyFormat(msg.Algo). Not sure if it is the right thing to do here though.

Can you please confirm that this issue is fixed by applying this CL? Thank you

[0x7f]

@drakkan the CL fixes it for me 👍 Thanks a lot.

I had trouble referencing the CL in my test project, so I manually applied the changes to the local code in $GOPATH.

[0x7f]

@drakkan any updates on this one? I'm not familiar with Gerrit, but to me it looks like the CL was not merged yet, right?

[drakkan]

@drakkan any updates on this one? I'm not familiar with Gerrit, but to me it looks like the CL was not merged yet, right?

It is in the review queue. It should be merged soon, I think another Google employee should approve it

[Dhongwei]

I encountered a similar issue. My Go version is go1.21.9 and crypto is v0.30.0. I fixed it during debugging by specifying the key . My situation involves accessing OpenSSH_8.8 from OpenSSH_7.4.

	sshConfig := &ssh.ClientConfig{
		User: username,
		Auth: []ssh.AuthMethod{
			ssh.PublicKeys(signers...),
		},
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
		HostKeyAlgorithms: []string{
			ssh.KeyAlgoRSASHA256, 
			ssh.KeyAlgoRSASHA512,
			ssh.KeyAlgoED25519,
			ssh.KeyAlgoECDSA256,
		},
		Timeout: 15 * time.Second, 
	}