Tracker »
Issue 1091 »
Issue activity log
2013-11-21 13:08 | Created | Occasional RSA public key authentication failure |
Component | Core | |
Severity | Bug | |
Comment | https://winscp.net/forum/viewtopic.php?t=13049 | |
2013-11-21 13:10 | Comment | Date: Thu, 21 Nov 2013 13:08:05 +0100 From: Martin Prikryl To: putty Subject: RSA signature issue when connecting to ProFTPD Hello, I got several reports that WinSCP/PuTTY occasionally fails public key authentication against ProFTPD server with "Server refused public-key signature despite accepting key!" I found out that this happens when RSA signature has different length than RSA key. This can happen, when the last (or last couple of) octet of signature is zero. Then rsa2_sign() outputs only n - 1 (or more) bytes. ProFTPSD upon receiving the signature, passes it to RSA_verify (from OpenSSL library). As the first thing, it tests that signature size matches key size. When it does not it fails the authentication. I'm not sure who is wrong here. In either case, it would be nice to make PuTTY workaround this (by padding the signature with zeros?) Thanks. Martin Prikryl https://winscp.net/ |
2013-11-21 14:10 | Comment | From: Simon Tatham To: Martin Prikryl Subject: Re: [putty] RSA signature issue when connecting to ProFTPD Martin Prikryl wrote: > I found out that this happens when RSA signature has different length > than RSA key. This can happen, when the last (or last couple of) octet > of signature is zero. Then rsa2_sign() outputs only n - 1 (or more) bytes. > > ProFTPSD upon receiving the signature, passes it to RSA_verify (from > OpenSSL library). As the first thing, it tests that signature size > matches key size. When it does not it fails the authentication. This is a clear violation of the SSH spec. RFC 4253, section 6.6: | The resulting signature is encoded as follows: | | string "ssh-rsa" | string rsa_signature_blob | | The value for 'rsa_signature_blob' is encoded as a string containing | s (which is an integer, without lengths or padding, unsigned, and in | network byte order). 'Without padding' says clearly enough to me that leading zero bytes on an RSA signature integer are not only unnecessary but actually forbidden. (When PuTTY _receives_ signatures, however, it doesn't insist on that clause - it tolerates leading zero bytes if they're there.) So this is a server-side bug; if their RSA library insists on signature integers being padded, then their SSH layer has a duty to add any necessary padding itself before passing the signature on to the RSA library. PuTTY _does_ already have a workaround for this bug, since it's not the first server we've heard of it in. Look for 'Requires padding on SSH-2 RSA signatures' in the PuTTY SSH > Bugs configuration panel, or BUG_SSH2_RSA_PADDING in the PuTTY source. Currently we only auto-enable that workaround for old versions of OpenSSH; we could easily enough add another set of version strings to the autodetection, but I'd prefer to see evidence that ProFTPD had fixed the bug at their end first (since it is their bug), so that we were only enabling the workaround for _old_ versions and not for all versions in future as well. Cheers, Simon |
Comment | Filled ProFTPD bug: http://bugs.proftpd.org/show_bug.cgi?id=3992 |
|
2013-11-21 14:11 | Status | RESOLVED |
Resolution | INVALID | |
2014-04-07 15:49 | Implemented in | 5.5.3 |
Comment | Workaround implemented. | |
2014-07-23 13:40 | Comment | Documented: https://winscp.net/eng/docs/ui_login_bugs#sshbug_rsapad2 https://winscp.net/eng/docs/interoperability#mod_sftp |
2015-01-29 12:56 | Severity | Bug → Enhancement |
2016-09-30 08:43 | Comment | PuTTY: PuTTY Commit a44530bd |