Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: possible ssh-ed25519 parse bug #47192

Closed
hongnod opened this issue Jul 14, 2021 · 3 comments
Closed

x/crypto/ssh: possible ssh-ed25519 parse bug #47192

hongnod opened this issue Jul 14, 2021 · 3 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@hongnod
Copy link

hongnod commented Jul 14, 2021
edited by cespare

What version of Go are you using (go version)?

$ go version
go version go1.16.6 windows/amd64

Does this issue reproduce with the latest release?

Don't know

What operating system and processor architecture are you using (go env)?

GO111MODULE=
set GOARCH=amd64
set GOBIN=
GOHOSTARCH=amd64
set GOHOSTOS=windows

go env Output
$ go env

What did you do?

Use ssh package to connect server with ed25519

package main

import (
	"github.com/pkg/sftp"
	"golang.org/x/crypto/ssh"
	"io"
	"log"
	"os"
	"strings"
	"bufio"
	"fmt"
	"path/filepath"
	)

func main() {

	user   := "user"
	pass   := "password"
	remote := "10.x.x.x"
	port   := ":22"

	// get host public key
	hostKey := getHostKey(remote)
    fmt.Println("HOSTKEY:",  hostKey)
	config := &ssh.ClientConfig{
		User: user,
		Auth: []ssh.AuthMethod{
			ssh.Password(pass),
		},
		// HostKeyCallback: ssh.InsecureIgnoreHostKey(),
		HostKeyCallback: ssh.FixedHostKey(hostKey),
	}

	// connect
	conn, err := ssh.Dial("tcp", remote+port, config)
	if err != nil {
	   log.Fatal(err)
	}
	defer conn.Close()

	// create new SFTP client
	client, err := sftp.NewClient(conn)
	if err != nil {
	   log.Fatal(err)
	}
	defer client.Close()

	// create destination file
	dstFile, err := os.Create("./file.zip")
	if err != nil {
	   log.Fatal(err)
	}
	defer dstFile.Close()

	// open source file
	srcFile, err := client.Open("/opt/to/file-1.zip")
	if err != nil {
	   log.Fatal(err)
	}

	// copy source file to destination file
	bytes, err := io.Copy(dstFile, srcFile)
	if err != nil {
	   log.Fatal(err)
	}
	fmt.Printf("%d bytes copied\n", bytes)

	// flush in-memory copy
	err = dstFile.Sync()
	if err != nil {
	   log.Fatal(err)
	}
}

func getHostKey(host string) ssh.PublicKey {
	// parse OpenSSH known_hosts file
	// ssh or use ssh-keyscan to get initial key
		home, err := os.UserHomeDir()
	if err != nil {
		log.Fatal(err)
	}
	fmt.Println("HOME:",  home)

	file, err := os.Open(filepath.Join(home, ".ssh", "known_hosts"))
	if err != nil {
		log.Fatal(err)
	}
	defer file.Close()

	scanner := bufio.NewScanner(file)
	var hostKey ssh.PublicKey
	for scanner.Scan() {
		fields := strings.Split(scanner.Text(), " ")
		if len(fields) != 3 {
			continue
		}
		if strings.Contains(fields[0], host) {
			var err error
			hostKey, _, _, _, err = ssh.ParseAuthorizedKey(scanner.Bytes())
			if err != nil {
				log.Fatalf("error parsing %q: %v", fields[2], err)
			}
			break
		}
	}

	if hostKey == nil {
		log.Fatalf("no hostkey found for %s", host)
	}

	return hostKey
}

What did you expect to see?

I expect to connect the sftp server to download a zip file

What did you see instead?

It said key mismatch with ed25519, Use ssh-keyscan -t ecdsa ip >> .ssh\known_hosts to replace ed25519 key works fine .

keys in known_hosts
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfkr/guXHGCyNtyGS/0bwD9eWgS4K6avfsU47gcI6wS
ed25519 parse result: [7 228 175 248 46 92 113 130 200 219 114 25 47 244 111 0 253 121 104 18 224 174 154 189 251 20 227 184 28 35 172 18]
@mdlayher mdlayher changed the title Possible ssh-ed25519 parse bug x/crypto/ssh: possible ssh-ed25519 parse bug Jul 14, 2021
@gopherbot gopherbot added this to the Unreleased milestone Jul 14, 2021
@cherrymui cherrymui added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 14, 2021
@cherrymui
Copy link
Member

cc @FiloSottile

@frazeradam
Copy link

We ran into a similar issue and found that the server had both a ECDSA and ED25519 key, and picked which one to use based on the client's request.

The underlying issue (at least from our perspective) is that the ordering of the supported algorithms does not put the most secure methods first: https://cs.opensource.google/go/x/crypto/+/089bfa56:ssh/common.go;l=69 Specifically it puts the ECDSA algorithms (which have credible accusations of having a backdoor) ahead of EC25519.

In your case @hongnod manually setting the HostKeyAlgorithms field in the ClientConfig structure to just include KeyAlgoED25519 will probably do it.

From a larger perspective it would be ideal to prefer KeyAlgoED25519 over any of the ECDSA algorithms, but changing that could break existing code that has a key fingerprint saved for verification connecting to a server with both ECDSA and ED25519 keys. If this is a good decision (potential breaking change for improved security) is a trade off that the Go team will need to weigh.

@seankhliao
Copy link
Member

Seems like you were using FixedHostKey when you should have selected one based on the connection

Closing as not a bug

@golang golang locked and limited conversation to collaborators Nov 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@hongnod @gopherbot @seankhliao @cherrymui @frazeradam