Add support for ECDSA and Ed25519 SSH keys

Bug #907675 reported by Pim Vullers on 2011-12-22
490
This bug affects 50 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Low
Colin Watson
lazr.sshserver
Low
Colin Watson
turnip
Low
Colin Watson
txpkgupload
Low
Colin Watson

Bug Description

When I wanted to add my ECDSA SSH2 key I got the message that the key was invalid. This is probably caused because those keys use a different key identifier structure than the RSA and DSA keys. Please improve the detection to also add support for the newest kind of SSH keys.

The key I tried to add:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBISztakMuof8TXWJMb9IpHdntowby/QVs6flRj7BiWwQQF5LNC0ByGHb53T2fWKYF8Jig4l70D3j4t1vJ6FZQ3g= pim@chaos

Related branches

Changed in launchpad:
status: New → Triaged
importance: Undecided → Low
William Grant (wgrant) on 2014-10-22
summary: - Add support for ECDSA SSH keys
+ Add support for ECDSA and Ed25519 SSH keys
Unit 193 (unit193) wrote :

This is currently blocked by https://twistedmatrix.com/trac/ticket/5350 which could be partially fixed by http://twistedmatrix.com/trac/ticket/7413, except Ed25519 which would still need https://github.com/pyca/cryptography/issues/856.

http://twistedmatrix.com/trac/ticket/7693 would also be needed for the pyCA support.

Colin Watson (cjwatson) on 2016-02-16
information type: Public → Public Security
Damien Cassou (cassou) wrote :

There has been update on http://twistedmatrix.com/trac/ticket/7413. Please update launchpad to take into account ecdsa keys. And it would be nice to also support Ed25519. Thanks

Colin Watson (cjwatson) wrote :

Don't get too excited. The movement on Twisted #7413 is a necessary prerequisite, but Twisted Conch still doesn't actually have concrete support for ECDSA keys, and Ed25519 is complicated further by the linked cryptography issue.

Sami Olmari (olmari) wrote :

ED25519 key I'd like to use too, so I'm just making noise here :)

Bert JW Regeer (bregeer-ctl) wrote :

OpenSSH on OS X sends ed25519 before rsa, this causes an hang until timeout:

https://bugs.launchpad.net/turnip/+bug/1621238

Unit 193 (unit193) wrote :

http://twistedmatrix.com/trac/ticket/8798 is progress towards both keys, and looks like ECDSA got support with http://twistedmatrix.com/trac/ticket/8828, now just Ed25519 is in https://twistedmatrix.com/trac/ticket/8966 (Though, http://twistedmatrix.com/trac/ticket/8854 might hold things up a tad.)

Still, there's progress and that's good.

lszyba1 (szybalski) wrote :

Hello,
Could somebody that is handling this ticket change the importance to major.
I'm unable to use launchpad without that key support.
My work requires it:
.ssh/id_ed25519.pub

I was hoping to convert some of the my bzr repo to git, and start using launchpad again and test drive the new git repo features in launchpad.

Please let me know who do I need to contact to get this enabled?
Thank you
Lucas

Colin Watson (cjwatson) wrote :

There's not much point arguing about the formal Importance of this bug. The reality is that we have the following chain of dependencies before we can fix this:

 1) upgrade Launchpad production to xenial (in progress)
 2) convert Launchpad build system to pip, so that we're no longer blocked on upgrading Twisted by conflicts between zc.buildout and pbr
 3) wait for a version of Twisted to be released that supports ED25519 keys
 4) upgrade to that version of Twisted

We already consider 1) and 2) to be high-priority, but 3) is out of our hands for the time being. Debating the value of the Importance field isn't going to speed anything up.

Colin Watson (cjwatson) wrote :

Update: we finished upgrading Launchpad production to xenial earlier this year; I just landed the conversion of our build system to pip; and I have a branch in progress to upgrade us to Twisted 16.5.0.

The upstream Twisted work doesn't seem to have finished yet, so we may be near the point where we've done everything we can for the time being. Versions of Twisted newer than 16.5.0 remove gmpy integration, so we'll need to take some care to avoid regressing performance on new connections, but that's doable.

Colin Watson (cjwatson) on 2018-06-27
Changed in lazr.sshserver:
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Colin Watson (cjwatson)
Changed in turnip:
status: New → Triaged
importance: Undecided → Low
Changed in txpkgupload:
status: New → Triaged
importance: Undecided → Low
Colin Watson (cjwatson) wrote :

lazr.sshserver 0.1.8 adds the baseline SSH authentication support that we need.

Changed in lazr.sshserver:
status: In Progress → Fix Released
Colin Watson (cjwatson) on 2018-07-02
Changed in turnip:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Changed in txpkgupload:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Colin Watson (cjwatson) on 2018-07-09
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) wrote :

turnip (git.launchpad.net) and txpkgupload (upload.ubuntu.com and ppa.launchpad.net) now have the necessary support for ECDSA, although this won't be effective until my next Launchpad branch is deployed. Both will need further upgrades once Twisted supports Ed25519.

Changed in turnip:
status: In Progress → Triaged
Changed in txpkgupload:
status: In Progress → Triaged
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson) on 2018-07-11
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) wrote :

Launchpad now supports ECDSA keys. Note also that the problem where merely sending unsupported key types to Launchpad used to cause an authentication hang, as mentioned in comment #5, has been fixed for a while (see bug 830679).

I don't plan to advocate particularly strongly for people to use ECDSA keys with Launchpad by default, as there are some theoretical concerns about ECDSA (the origins of the particular chosen curves are murky and some people find that suspicious, and it shares the same weakness in the face of poor random number generators that DSA has; on the other hand, it allows effectively-much-better key lengths). Those concerns aren't enough to refuse support as long as OpenSSH thinks it appropriate to support them, but at the moment I would still recommend RSA out of the set of public key algorithms we offer.

Ed25519 is still blocked on having support for it in Twisted, but Launchpad is now essentially current on Twisted releases so it should be very easy for us to add support once that blocker is resolved. Once that happens, I would be very happy to advocate for the use of Ed25519 with Launchpad.

Changed in launchpad:
status: In Progress → Triaged
Ondřej Surý (ondrej) wrote :

Thank you.

> and it shares the same weakness in the face of poor random number generators that DSA has

Depends, see RFC 6979.

> Ed25519 is still blocked on having support for it in Twisted.

Is this related to using Ed25519 OpenPGP keys? Or is it a separate issue?

Colin Watson (cjwatson) wrote :

> Depends, see RFC 6979.

That's a fair point. OpenSSL 1.1 implements a variant of this which essentially hashes together some random data with the private key and the message, so it's non-deterministic but should still avoid the classic attack on (EC)DSA when the RNG is weak. And, of course, PuTTY implemented something similar for its DSA implementation way back in 2001, and carried that over to ECDSA as well, so PuTTY users should be safe.

Unfortunately, OpenSSL 1.0 *doesn't* implement this strengthening of how the k parameter in (EC)DSA is generated, and OpenSSL 1.1 was a major API change that OpenSSH hasn't yet adapted to (although there has been some gradual progress on that front, and some people have applied a patch against upstream's advice; if you follow debian-devel then you've probably seen me debating what to do about that). So that still leaves a lot of clients vulnerable to this attack in practice, if their random number generator happens to be weak.

> Is this related to using Ed25519 OpenPGP keys? Or is it a separate issue?

That's separate; comment #6 has the details. The problem with Ed25519 OpenPGP keys is that they require GnuPG 2, and getting that to work in non-interactive contexts is a real pain due to the way it likes to spawn opportunistic daemon processes. I did try to get Launchpad's test suite to work with it when we were upgrading to run on Ubuntu 16.04 a while back, but I ended up giving up and forcing GnuPG 1 for now. If you need this, then it'd be a good idea to file a separate bug so that we remember that we need to work on it.

Ondřej Surý (ondrej) wrote :

> OpenSSL 1.1 implements a variant of this

Yeah, it's a shame that RFC 6979 implementation didn't get into OpenSSL 1.1.x yet - I was looking at it the other day while refactoring BIND 9's crypto and I wanted to get rid of random calls in (EC)DSA algorithms. (GnuTLS has already implemented this.)

> If you need this

Nah, I was just curious :). Thanks for the answers.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers