EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSH Server Public Key Authorisation

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#28088
Posted: 01/22/2014 01:57:31
by Daniel Bryars (Standard support level)
Joined: 01/22/2014
Posts: 9

I'm implementing PublicKey Authentication for my SSH Server.

In the Demo project (SSHServerDemo) I can see an implementation where is checks the fingerprint of the Public Key.

Code
if (Globals.Settings.FindUser(ref user, Username))
         {
            Accept = (user.AuthTypes & SBSSHConstants.Unit.SSH_AUTH_TYPE_PUBLICKEY) > 0;
            Accept = Accept & user.KeyValid(Key);
            if (Accept)
            {
               int authFlag;
               if (m_authInfo[Username] == null)
               {
                  authFlag = 0;
               }
               else
               {
                  authFlag = (int)m_authInfo[Username];
               }
               authFlag = authFlag | SBSSHConstants.Unit.SSH_AUTH_TYPE_PUBLICKEY;
               m_authInfo[Username] = authFlag;
            }
         }
         else
         {
            Accept = false;
         }


This code checks if the public key finger print is the same as that stored.

Doesn't there need to be more than this? Say an implementation of the encrypted exchange to ensure that the connecting client actually has the private key. Please can you explain if this is complete and secure?

If not then please could you please post me some complete example code? And point out exactly what I need to implement?

Thanks,

Regards,

Daniel

PS I've got a license and I think it's linked to this account. If not please let me know.
#28089
Posted: 01/22/2014 02:00:36
by Eugene Mayevski (EldoS Corp.)

In SSH validation of keys is performed simply by comparing the public key (or its hashes) of the remote party with the known public key known to the connecting party. There are no additional checks performed because unlike SSL/TLS, SSH keys don't build an hierarchy and are not signed using some upper-level key.

As for cryptographic qualities of the key - they will be checked by using the key for handshake, so if the key is corrupted, (a) it's fingerprint will change and (b) it just won't work during handshake.


Sincerely yours
Eugene Mayevski
#28091
Posted: 01/22/2014 03:31:40
by Daniel Bryars (Standard support level)
Joined: 01/22/2014
Posts: 9

Are you saying that there is no challenge and the client's private key is not checked or used during the authentication?

It still looks to me that we're just comparing the fingerprint of the public keys.

I just want to be sure that the client really does need the private key as well as the public key.
#28092
Posted: 01/22/2014 03:38:32
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
Are you saying that there is no challenge and the client's private key is not checked or used during the authentication?

Its used. The client first sends a public key to the server. If the server finds the key in the list of allowed keys (its checked by a fingerprint), the client encrypts certain data packet using private key and sends the packet to the server together with the public key.
#28093
Posted: 01/22/2014 03:44:44
by Daniel Bryars (Standard support level)
Joined: 01/22/2014
Posts: 9

Hi Vsevolod,

Thanks, I am a little paranoid and want to make completely sure I'm doing it correctly.

Your answer sounds good. Is that implemented in the library for me before the call to SSHServer_OnAuthPublicKey?

Do I have to do anything other than check the finger print?

Regards,

Daniel
#28094
Posted: 01/22/2014 03:49:48
by Vsevolod Ievgiienko (EldoS Corp.)

Your job is only to check a fingerprint. Everything else is done inside our library automatically. OnAuthPublicKey is fired before cryptographic operations are performed.
#28118
Posted: 01/24/2014 05:11:08
by Daniel Bryars (Standard support level)
Joined: 01/22/2014
Posts: 9

That's great thank you!
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 1502 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!