support ssh on OS with disabled ssh-rsa algorithm

WanzenBug · WanzenBug · commit e5a90928fd59 · 2021-08-19T14:40:57.000+02:00
OpenSSH deprecated the ssh-rsa signature algorithm. Instead one
should use one of the sha2 variantes (rsa-sha2-256 and rsa-sha2-512).
Fedora was one of the first to disabled the ssh-rsa algorithm by default.
That made a Fedora VM inaccessible from virter since golang.org/x/crypto/ssh
still defaults to using ssh-rsa.

This commit adds support for the newer replacement algorithms while keeping
compatibility for older OSes.
diff --git a/go.mod b/go.mod
@@ -26,8 +26,7 @@ require (
 	github.com/stretchr/testify v1.7.0
 	github.com/vbauerster/mpb/v7 v7.0.2
 	github.com/vektra/mockery v1.1.2
-	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210608053332-aa57babbf139 // indirect
 	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
 )
diff --git a/go.sum b/go.sum
@@ -626,8 +626,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
-golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -773,8 +773,8 @@ golang.org/x/sys v0.0.0-20201126233918-771906719818/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210608053332-aa57babbf139 h1:C+AwYEtBp/VQwoLntUmQ/yx3MS9vmZaKNdw5eOpoQe8=
-golang.org/x/sys v0.0.0-20210608053332-aa57babbf139/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56 h1:b8jxX3zqjpqb2LklXPzKSGJhzyxCOZSz8ncv8Nv+y7w=
diff --git a/pkg/sshkeys/hostkey.go b/pkg/sshkeys/hostkey.go
@@ -91,6 +91,8 @@ func (k *knownHosts) AsHostKeyConfig() (ssh.HostKeyCallback, []string) {
 			return fmt.Errorf("ssh: host key mismatch")
 		}, []string{
 			ssh.KeyAlgoRSA,
+			ssh.SigAlgoRSASHA2256,
+			ssh.SigAlgoRSASHA2512,
 		}
 }
 
diff --git a/pkg/sshkeys/keystore.go b/pkg/sshkeys/keystore.go
@@ -6,9 +6,11 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"golang.org/x/crypto/ssh"
+	"io"
 	"io/ioutil"
 	"os"
+
+	"golang.org/x/crypto/ssh"
 )
 
 // A KeyStore stores a single private key and the matching public key. It provides various methods to access
@@ -53,11 +55,57 @@ func NewKeyStore(privateKeyPath string, publicKeyPath string) (KeyStore, error)
 }
 
 func (store *keyStore) Auth() []ssh.AuthMethod {
+	algo, ok := store.privateKey.(ssh.AlgorithmSigner)
+	if ok && algo.PublicKey().Type() == ssh.KeyAlgoRSA {
+		return []ssh.AuthMethod{
+			ssh.PublicKeys(
+				&algoSigner{signer: algo, ty: ssh.SigAlgoRSASHA2512},
+				&algoSigner{signer: algo, ty: ssh.SigAlgoRSASHA2256},
+				&algoSigner{signer: algo},
+			),
+		}
+	}
+
 	return []ssh.AuthMethod{
 		ssh.PublicKeys(store.privateKey),
 	}
 }
 
+// algoSigner adds support for non-default signature algorithms when authenticating.
+type algoSigner struct {
+	signer ssh.AlgorithmSigner
+	ty     string
+}
+
+func (w *algoSigner) PublicKey() ssh.PublicKey {
+	return &algoPublicKey{key: w.signer.PublicKey(), ty: w.ty}
+}
+
+func (w *algoSigner) Sign(rand io.Reader, data []byte) (*ssh.Signature, error) {
+	return w.signer.SignWithAlgorithm(rand, data, w.ty)
+}
+
+type algoPublicKey struct {
+	key ssh.PublicKey
+	ty  string
+}
+
+func (s *algoPublicKey) Type() string {
+	if s.ty == "" {
+		return s.key.Type()
+	}
+
+	return s.ty
+}
+
+func (s *algoPublicKey) Marshal() []byte {
+	return s.key.Marshal()
+}
+
+func (s *algoPublicKey) Verify(data []byte, sig *ssh.Signature) error {
+	return s.key.Verify(data, sig)
+}
+
 func (store *keyStore) KeyBytes() []byte {
 	return store.privateKeyBytes
 }

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,8 @@ func (k *knownHosts) AsHostKeyConfig() (ssh.HostKeyCallback, []string) {`
`91`	`91`	`return fmt.Errorf("ssh: host key mismatch")`
`92`	`92`	`}, []string{`
`93`	`93`	`ssh.KeyAlgoRSA,`
	`94`	`+ ssh.SigAlgoRSASHA2256,`
	`95`	`+ ssh.SigAlgoRSASHA2512,`
`94`	`96`	`}`
`95`	`97`	`}`
`96`	`98`