3228 – A client with an ssh agent can login with a revoked certificate

Bug 3228 - A client with an ssh agent can login with a revoked certificate

Summary: A client with an ssh agent can login with a revoked certificate

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	8.0p1
Hardware:	Other Linux

Importance:	P5 security
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-11-03 22:38 AEDT by sebelk
Modified:	2021-03-04 09:53 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description sebelk 2020-11-03 22:38:31 AEDT

A client with a ssh agent can login with a revoked certificate.

Steps:

1. On ssh server (CentOS 8) revoke a client certificate
ssh-keygen -k -f /etc/ssh/keys/krl.list -z1 sergio_id_rsa-cert.pub

2. Verify that client is revoked

ssh-keygen -v -Q -f /etc/ssh/keys/krl.list /etc/ssh/keys/sergio_id_rsa-cert.pub
debug1: KRL version 1 generated at 20201103T104547
/etc/ssh/keys/sergio_id_rsa-cert.pub (sergio@dublin.ireland.home): REVOKED

2. On a ssh client check that ssh-agent is running

pgrep -a ssh-agent
4487 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/startplasma-x11"

3. From that ssh client try to connect to ssh server with the revoked certificate:

ssh -i .ssh/sergio_lxc-cert.pub root@10.0.3.111
Last login: Tue Nov 3 11:11:29 2020 from 10.0.3.1
[root@centos8-neovim ~]#

What one can expect is that ssh server reject the attempt but it does not:

log file has:

... Accepted publickey for root from 10.0.3.1 port 48524...

Only after deleting identity from the agent on ssh client side the ssh server rejects the agent:

ssh-add -d /home/sergio/.ssh/id_rsa_SA
Identity removed: /home/sergio/.ssh/id_rsa_SA

error: Authentication key ... revoked by file /etc/ssh/keys/krl.list

So, one depends of the good will of the client side of removing the identity of agent.

(the client used in this testing is openssh-8.3p1 on Fedora 32

Note: I've found that adding the certificate as plain text on RevokedKey file prevent the login immediately, but one can depend on having the complete original certificate on hand.

Comment 1 sebelk 2020-11-04 05:09:18 AEDT

Errata: "but one can depend on having the complete original certificate on hand." should be "but one must depend on having the complete original certificate on hand."

Comment 2 sebelk 2020-11-04 06:57:44 AEDT

Using Debian 9 as ssh server with version 7.4p1 : I can login even using plain text on RevokedKeys files and deleting the private key on the ssh-agent of client side...

Comment 3 sebelk 2020-11-04 08:38:25 AEDT

Mi mistake with mi earlier comment: I forget reload the service on Debian, however on CentOS I really double checked that.

Comment 4 Damien Miller 2020-11-04 11:58:54 AEDT

Please attach a debug log from sshd showing a successful login with the revoked key.

Comment 5 sebelk 2020-11-05 01:10:43 AEDT

(In reply to Damien Miller from comment #4)
> Please attach a debug log from sshd showing a successful login with
> the revoked key.

Thanks Damien for your fast answer. I've found that client ssh was trying more available certificates that was cached certificates and some of them were not revoked, my apologies for the noise. You may want to close the bug report.

Comment 6 Damien Miller 2020-11-05 14:54:37 AEDT

No worries!

Comment 7 Damien Miller 2021-03-04 09:53:27 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle