PR#8: Allow webauthn-sk-ecdsa signatures to be detected based on format - rpms/openssh

rpms / openssh

#8 Allow webauthn-sk-ecdsa signatures to be detected based on format

Merged 2 months ago by rcolebaugh. Opened 3 months ago by bmh10.

rpms/ bmh10/openssh c9s-sig-hyperscale into c9s-sig-hyperscale

Allow sk webauthn signatures to be determined based on structure

Ben Homer • 2 months ago

02f4c3

file added

+30

		`@@ -0,0 +1,30 @@`
		`+ Index: openssh-8.7p1/ssh-ecdsa-sk.c`
		`+ ===================================================================`
		`+ --- openssh-8.7p1.orig/ssh-ecdsa-sk.c`
		`+ +++ openssh-8.7p1/ssh-ecdsa-sk.c`
		`+ @@ -191,14 +191,17 @@ ssh_ecdsa_sk_verify(const struct sshkey`
		`+ ret = SSH_ERR_INVALID_FORMAT;`
		`+ goto out;`
		`+ }`
		`+ - if (is_webauthn) {`
		`+ - if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 \|\|`
		`+ - sshbuf_froms(b, &webauthn_wrapper) != 0 \|\|`
		`+ - sshbuf_froms(b, &webauthn_exts) != 0) {`
		`+ - ret = SSH_ERR_INVALID_FORMAT;`
		`+ - goto out;`
		`+ - }`
		`+ - }`
		`+ + if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 \|\|`
		`+ + sshbuf_froms(b, &webauthn_wrapper) != 0 \|\|`
		`+ + sshbuf_froms(b, &webauthn_exts) != 0) {`
		`+ + if (is_webauthn) {`
		`+ + ret = SSH_ERR_INVALID_FORMAT;`
		`+ + goto out;`
		`+ + }`
		`+ + } else {`
		`+ + // webauthn signature detected based on structure`
		`+ + is_webauthn = 1;`
		`+ + }`
		`+ if (sshbuf_len(b) != 0) {`
		`+ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;`
		`+ goto out;`

openssh.spec

file modified

+7 -1

		`@@ -52,7 +52,7 @@`
		`# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1`
		`%global openssh_ver 8.7p1`
		`%global openssh_rel 43`
		`- %global hyperscale_rel 2`
		`+ %global hyperscale_rel 3`
		`%global pam_ssh_agent_ver 0.10.4`
		`%global pam_ssh_agent_rel 5`

		`@@ -329,6 +329,8 @@`
		`# Log extra authentication information to the auth_info structured`
		`# logging field, and add tests for pubkey and cert auth.`
		`Patch2019: fb87_log_auth_info.patch`
		`+ # Detect webauthn-sk-ecdsa signatures based on signature format.`
		`+ Patch2020: fb87_sk_ecdsa_webauthn.patch`

		`License: BSD`
		`Requires: /sbin/nologin`
		`@@ -567,6 +569,7 @@`
		`%patch2017 -p1 -b .log_accept_env`
		`%patch2018 -p1 -b .pass_principals_to_child`
		`%patch2019 -p1 -b .log_auth_info`
		`+ %patch2020 -p1 -b .sk_ecdsa_webauthn`
		`%endif`

		`%if 0%{?facebook} && 0%{?use_quilt}`
		`@@ -860,6 +863,9 @@`
		`%endif`

		`%changelog`
		`+ * Thu Dec 19 2024 Ben Homer <bmhomer13@gmail.com> - 8.7p1-43.3 + 0.10.4-5.3`
		`+ - Allow webauthn-sk-ecdsa signatures to be detected based on format`
		`+`
		`* Wed Jul 10 2024 Raymond Colebaugh <raymondcolebaugh@gmail.com> - 8.7p1-43.2 + 0.10.4-5.43.2`
		`- Reenable keyperm patch in facebook builds`

bmh10 commented 3 months ago

In order to support FIDO2 logins for SSH on MacOS using Apple APIs, we need to make use of the "webauthn-sk-ecdsa" signature type introduced in OpenSSH (see commit).

However, unfortunately there is a bug in ssh agent code which prevents this signature type from being usable from ssh agents (see this post and this post).

Therefore, this PR patches sshd so that it can detect "webauthn-sk-ecdsa" signatures based on the signature format (as outlined here).

rebased onto a59efe4

3 months ago

rebased onto a59efe4

3 months ago

rebased onto a59efe4

3 months ago

rcolebaugh commented on line 22 of openssh.spec 2 months ago

Could you please move this to the bottom of the condition below to guard on %if 0%{?facebook} && !0%{?use_quilt}? That way we'll only introduce this patch to the fb builds and leave regular hyperscale builds as is.

rcolebaugh commented on line 6 of openssh.spec 2 months ago

Could you please bump the hyperscale_rel number below instead of openssh_rel? We keep the openssh ver/rel matching centos and bump only the hyperscale rel when we need to make changes to the patches.

rebased onto a59efe4

2 months ago