diff options
author | Jeff Forcier <jeff@bitprophet.org> | 2022-05-16 20:52:22 -0400 |
---|---|---|
committer | Jeff Forcier <jeff@bitprophet.org> | 2022-05-16 20:52:22 -0400 |
commit | 33df84c8b50fd63e46abbcbf2fdbe68ba8e530a1 (patch) | |
tree | 3df27327f099901f91ead2e9d33e0dad85bbe766 /paramiko | |
parent | d603ef12b76edca27b713c76c4544502961ff894 (diff) | |
parent | 8a00929219120fcacdcbecd3a94e73ec12f04819 (diff) | |
download | paramiko-33df84c8b50fd63e46abbcbf2fdbe68ba8e530a1.tar.gz |
Merge branch '2.10'
Diffstat (limited to 'paramiko')
-rw-r--r-- | paramiko/auth_handler.py | 18 | ||||
-rw-r--r-- | paramiko/rsakey.py | 9 |
2 files changed, 26 insertions, 1 deletions
diff --git a/paramiko/auth_handler.py b/paramiko/auth_handler.py index c188242e..db89670a 100644 --- a/paramiko/auth_handler.py +++ b/paramiko/auth_handler.py @@ -22,6 +22,7 @@ import weakref import time +import re from paramiko.common import ( cMSG_SERVICE_REQUEST, @@ -298,6 +299,23 @@ class AuthHandler(object): key_type ), ) + # NOTE re #2017: When the key is an RSA cert and the remote server is + # OpenSSH 7.7 or earlier, always use ssh-rsa-cert-v01@openssh.com. + # Those versions of the server won't support rsa-sha2 family sig algos + # for certs specifically, and in tandem with various server bugs + # regarding server-sig-algs, it's impossible to fit this into the rest + # of the logic here. + if key_type.endswith("-cert-v01@openssh.com") and re.search( + r"-OpenSSH_(?:[1-6]|7\.[0-7])", self.transport.remote_version + ): + pubkey_algo = "ssh-rsa-cert-v01@openssh.com" + self.transport._agreed_pubkey_algorithm = pubkey_algo + self._log(DEBUG, "OpenSSH<7.8 + RSA cert = forcing ssh-rsa!") + self._log( + DEBUG, "Agreed upon {!r} pubkey algorithm".format(pubkey_algo) + ) + return pubkey_algo + # Normal attempts to handshake follow from here. # Only consider RSA algos from our list, lest we agree on another! my_algos = [x for x in self.transport.preferred_pubkeys if "rsa" in x] self._log(DEBUG, "Our pubkey algorithm list: {}".format(my_algos)) diff --git a/paramiko/rsakey.py b/paramiko/rsakey.py index f7971dca..000f41c5 100644 --- a/paramiko/rsakey.py +++ b/paramiko/rsakey.py @@ -141,9 +141,16 @@ class RSAKey(PKey): if isinstance(key, rsa.RSAPrivateKey): key = key.public_key() + # NOTE: pad received signature with leading zeros, key.verify() + # expects a signature of key size (e.g. PuTTY doesn't pad) + sign = msg.get_binary() + diff = key.key_size - len(sign) * 8 + if diff > 0: + sign = b"\x00" * ((diff + 7) // 8) + sign + try: key.verify( - msg.get_binary(), + sign, data, padding.PKCS1v15(), self.HASHES[sig_algorithm](), |