Comment 7 for bug 1952421

Revision history for this message
ChloƩ Smith (kajiya) wrote :

Hey everyone,

I can confirm the fix has been tested by our friends at Google (Anthos) for Focal 20.04, using the same patch used in 1:8.2p1-4ubuntu0.4 but *not* by using the package from focal-proposed itself.
Hopefully this still suffices? Please let me know if not and I'll re-run the verification again using an instance pulling from focal-proposed.

[RATIONALE]

Need SSH to authenticate a ``HostCertificate`` and an SSH agent that holds the corresponding host private key.

The sshd_config has the following directives:

-- HostCertificate the public host certificate whose public key matches the private key stored in the ssh agent

-- HostKey the public key of the host keypair

-- HostKeyAgent the socket of the ssh agent that holds the host private key

Before the patch, this combination didn't work - even though it authenticated successfully the setup behaved as if ``HostCertificate`` was never configured (i.e. it authenticated using only the public key and the private key in the ssh agent).

[VERIFICATION OF FIX]
````
sh-agent -a /path/agent-socket
SSH_AUTH_SOCK=/path/agent-socket ssh-add -k /path/hostkey
````

Then ran ``sshd`` with:

````
HostCertificate /path/hostkey-cert.pub
HostKey /path/hostkey.pub
HostKeyAgent /path/agent-socket
````

Then configured the CA trust anchor on the client's side.
(localhost was used, but it would be the same if a second host is used as a client)

````
ssh -vv localhost
````

shows the host certificate was seen and used.