Mailing List Archive

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #2 from Thomas Braun <thomas.braun@byte-physics.de> ---
Created attachment 3505
--> https://bugzilla.mindrot.org/attachment.cgi?id=3505&action=edit
stderr output

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #3 from Thomas Braun <thomas.braun@byte-physics.de> ---
Created attachment 3506
--> https://bugzilla.mindrot.org/attachment.cgi?id=3506&action=edit
stdout output

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #4 from Thomas Braun <thomas.braun@byte-physics.de> ---
Done.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #3505|application/octet-stream |text/plain
mime type| |

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #3506|application/octet-stream |text/plain
mime type| |

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #5 from Damien Miller <djm@mindrot.org> ---
Are you able to test OpenSSH git head or otherwise apply commit
ac31aa3c63 ? It adds some debugging that might be useful in figuring
out what is going wrong.

Also a workaround: add

Host gitlab.com
UpdateHostkeys no

to your ~/.ssh/config

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #6 from Damien Miller <djm@mindrot.org> ---
Created attachment 3507
--> https://bugzilla.mindrot.org/attachment.cgi?id=3507&action=edit
use old-style RSA signature algorithm for SSH_BUG_SIGTYPE servers

Please also try this patch

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #7 from Thomas Braun <thomas.braun@byte-physics.de> ---
Yes I should be able compile openssh HEAD. I presume we are talking
about https://github.com/openssh/openssh-portable?

Do you think I can test that on linux as well or is that specific to
Windows?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

Richard W.M. Jones <rjones@redhat.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |rjones@redhat.com

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #8 from Thomas Braun <thomas.braun@byte-physics.de> ---
Created attachment 3513
--> https://bugzilla.mindrot.org/attachment.cgi?id=3513&action=edit
stderr with ac31aa3c63 applied

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #9 from Thomas Braun <thomas.braun@byte-physics.de> ---
Created attachment 3514
--> https://bugzilla.mindrot.org/attachment.cgi?id=3514&action=edit
stdout with ac31aa3c63 applied

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #10 from Thomas Braun <thomas.braun@byte-physics.de> ---
I've applied the SSH_BUG_SIGTYPE fix but that did not solve the issue.

I also added the requested debug output with ac31aa3c63 applied.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #3513|application/octet-stream |text/plain
mime type| |

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #3514|application/octet-stream |text/plain
mime type| |

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #11 from Damien Miller <djm@mindrot.org> ---
> client_global_hostkeys_private_confirm: server gave bad signature for RSA key 0: error in libcrypto

hmm, this is not what I expected. This particular error can only occur
during RSA verification here:
https://github.com/openssh/openssh-portable/blob/e86968280e358e62649d268d41f698d64d0dc9fa/ssh-rsa.c#L429
and indicates an RSA decryption failure in OpenSSL libcrypto.

Moreover I can't reproduce the same problem with OpenSSH 7.9 sshd
locally - the hostkey update signature function fine for RSA keys.

This makes me suspect that either gitlab.com is returning an incorrect
signature, or OpenSSL libcrypto is failing to verify a good one on your
platform.

I don't know much about how the ssh client in git-for-windows works. Is
it built from Cygwin, Microsoft's OpenSSH port or something else?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #12 from Thomas Braun <thomas.braun@byte-physics.de> ---
> I don't know much about how the ssh client in git-for-windows works. Is it built from Cygwin, Microsoft's OpenSSH port or something else?

It's basically built from cygwin. It's called MSYS which is a
derivation of cygwin.

The sources are available at
https://github.com/git-for-windows/MSYS2-packages/tree/main/openssh. It
is not particular easy to build though.

Is there a way I can store the failing RSA key in a file?

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #13 from Damien Miller <djm@mindrot.org> ---
Created attachment 3521
--> https://bugzilla.mindrot.org/attachment.cgi?id=3521&action=edit
dump failed key and signature

This will log the failing key and signature.

You can convert the key to an OpenSSL PEM format key using something
like:

ssh-keygen -ef /path/key.pub -m pem

Verifying the contents of the signature blob is more difficult. Some
extra debug logging in ssh-rsa.c might be required there

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3279

--- Comment #14 from Damien Miller <djm@mindrot.org> ---
Created attachment 3522
--> https://bugzilla.mindrot.org/attachment.cgi?id=3522&action=edit
debug failed libcrypto call

This will dump the actual data passed to RSA_public_decrypt() and the
detailed errors from libcrypto when it fails

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs