|Date: Thu, 21 Nov 2013 13:08:05 +0100
From: Martin Prikryl
Subject: RSA signature issue when connecting to ProFTPD
I got several reports that WinSCP/PuTTY occasionally fails public key
authentication against ProFTPD server with "Server refused public-key
signature despite accepting key!"
I found out that this happens when RSA signature has different length
than RSA key. This can happen, when the last (or last couple of) octet
of signature is zero. Then rsa2_sign() outputs only n - 1 (or more) bytes.
ProFTPSD upon receiving the signature, passes it to RSA_verify (from
OpenSSL library). As the first thing, it tests that signature size
matches key size. When it does not it fails the authentication.
I'm not sure who is wrong here. In either case, it would be nice to make
PuTTY workaround this (by padding the signature with zeros?)
|From: Simon Tatham
To: Martin Prikryl
Subject: Re: [putty] RSA signature issue when connecting to ProFTPD
Martin Prikryl wrote:
> I found out that this happens when RSA signature has different length
> than RSA key. This can happen, when the last (or last couple of) octet
> of signature is zero. Then rsa2_sign() outputs only n - 1 (or more) bytes.
> ProFTPSD upon receiving the signature, passes it to RSA_verify (from
> OpenSSL library). As the first thing, it tests that signature size
> matches key size. When it does not it fails the authentication.
This is a clear violation of the SSH spec. RFC 4253, section 6.6:
| The resulting signature is encoded as follows:
| string "ssh-rsa"
| string rsa_signature_blob
| The value for 'rsa_signature_blob' is encoded as a string containing
| s (which is an integer, without lengths or padding, unsigned, and in
| network byte order).
'Without padding' says clearly enough to me that leading zero bytes on
an RSA signature integer are not only unnecessary but actually
forbidden. (When PuTTY _receives_ signatures, however, it doesn't
insist on that clause - it tolerates leading zero bytes if they're
there.) So this is a server-side bug; if their RSA library insists on
signature integers being padded, then their SSH layer has a duty to
add any necessary padding itself before passing the signature on to
the RSA library.
PuTTY _does_ already have a workaround for this bug, since it's not
the first server we've heard of it in. Look for 'Requires padding on
SSH-2 RSA signatures' in the PuTTY SSH > Bugs configuration panel, or
BUG_SSH2_RSA_PADDING in the PuTTY source. Currently we only
auto-enable that workaround for old versions of OpenSSH; we could
easily enough add another set of version strings to the autodetection,
but I'd prefer to see evidence that ProFTPD had fixed the bug at their
end first (since it is their bug), so that we were only enabling the
workaround for _old_ versions and not for all versions in future as
|Filled ProFTPD bug: