PR#8: Allow webauthn-sk-ecdsa signatures to be detected based on format - rpms/openssh

rpms / openssh

#8 Allow webauthn-sk-ecdsa signatures to be detected based on format

Opened a day ago by bmh10. Modified 9 hours ago

rpms/ bmh10/openssh c9s-sig-hyperscale into c9s-sig-hyperscale

Allow sk webauthn signatures to be determined based on structure

Ben Homer • 9 hours ago

1e2159

file added

+30

		`@@ -0,0 +1,30 @@`
		`+ Index: openssh-8.7p1/ssh-ecdsa-sk.c`
		`+ ===================================================================`
		`+ --- openssh-8.7p1.orig/ssh-ecdsa-sk.c`
		`+ +++ openssh-8.7p1/ssh-ecdsa-sk.c`
		`+ @@ -191,14 +191,17 @@ ssh_ecdsa_sk_verify(const struct sshkey`
		`+ ret = SSH_ERR_INVALID_FORMAT;`
		`+ goto out;`
		`+ }`
		`+ - if (is_webauthn) {`
		`+ - if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 \|\|`
		`+ - sshbuf_froms(b, &webauthn_wrapper) != 0 \|\|`
		`+ - sshbuf_froms(b, &webauthn_exts) != 0) {`
		`+ - ret = SSH_ERR_INVALID_FORMAT;`
		`+ - goto out;`
		`+ - }`
		`+ - }`
		`+ + if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 \|\|`
		`+ + sshbuf_froms(b, &webauthn_wrapper) != 0 \|\|`
		`+ + sshbuf_froms(b, &webauthn_exts) != 0) {`
		`+ + if (is_webauthn) {`
		`+ + ret = SSH_ERR_INVALID_FORMAT;`
		`+ + goto out;`
		`+ + }`
		`+ + } else {`
		`+ + // webauthn signature detected based on structure`
		`+ + is_webauthn = 1;`
		`+ + }`
		`+ if (sshbuf_len(b) != 0) {`
		`+ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;`
		`+ goto out;`

openssh.spec

file modified

+6 -1

		`@@ -51,7 +51,7 @@`

		`# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1`
		`%global openssh_ver 8.7p1`
		`- %global openssh_rel 43`
		`+ %global openssh_rel 44`
		`%global hyperscale_rel 2`
		`%global pam_ssh_agent_ver 0.10.4`
		`%global pam_ssh_agent_rel 5`
		`@@ -302,6 +302,7 @@`
		`#upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c`
		`Patch1020: openssh-8.7p1-sigpipe.patch`
		`Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch`
		`+ Patch1022: openssh-8.7p1-sk-ecdsa-webauthn.patch`

		`# Add a unique log session identifier to output messages for`
		`# each sshd process and its children.`
		`@@ -555,6 +556,7 @@`
		`%patch1019 -p1 -b .cve-2023-51385`
		`%patch1020 -p1 -b .earlypipe`
		`%patch1021 -p1 -b .cve-2024-6387`
		`+ %patch1022 -p1 -b .sk-ecdsa-webauthn`

		`%if 0%{?facebook} && !0%{?use_quilt}`
		`%patch2010 -p1 -b .log_session_id`
		`@@ -860,6 +862,9 @@`
		`%endif`

		`%changelog`
		`+ * Thu Dec 19 2024 Ben Homer <bmhomer13@gmail.com> - 8.7p1-44.2 + 0.10.4-5.2`
		`+ - Allow webauthn-sk-ecdsa signatures to be detected based on format`
		`+`
		`* Wed Jul 10 2024 Raymond Colebaugh <raymondcolebaugh@gmail.com> - 8.7p1-43.2 + 0.10.4-5.43.2`
		`- Reenable keyperm patch in facebook builds`

bmh10 commented a day ago

In order to support FIDO2 logins for SSH on MacOS using Apple APIs, we need to make use of the "webauthn-sk-ecdsa" signature type introduced in OpenSSH (see commit).

However, unfortunately there is a bug in ssh agent code which prevents this signature type from being usable from ssh agents (see this post and this post).

Therefore, this PR patches sshd so that it can detect "webauthn-sk-ecdsa" signatures based on the signature format (as outlined here).