lazr.sshserver

Merge ~cjwatson/lazr.sshserver:rsa-sha2 into lazr.sshserver:main

  1. Git
  2. lp:~cjwatson/lazr.sshserver
  3. rsa-sha2
  4. Merge into main
Proposed by Colin Watson
Status: Merged
Merged at revision: dceaa092b52cc97eb4045188593264ec85591e0d
Proposed branch: ~cjwatson/lazr.sshserver:rsa-sha2
Merge into: lazr.sshserver:main
Diff against target: 45 lines (+6/-3)
2 files modified
NEWS.txt (+2/-0)
src/lazr/sshserver/auth.py (+4/-3)
Reviewer Review Type Date Requested Status
Ioana Lasc (community) Approve
Review via email: mp+415187@code.launchpad.net

Commit message

Add support for RSA keys with SHA-2 signatures

Description of the change

This parallels a change in https://github.com/twisted/twisted/pull/1692, and requires a version of Twisted with that PR in order to actually provide this support (although it will still work as before with older versions of Twisted).

To post a comment you must log in.
Revision history for this message
Ioana Lasc (ilasc) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/NEWS.txt b/NEWS.txt
2index 821a9cc..32da7e1 100644
3--- a/NEWS.txt
4+++ b/NEWS.txt
5@@ -10,6 +10,8 @@ NEWS for lazr.sshserver
6 - Apply black code formatter.
7 - Add isort pre-commit hook.
8 - Apply inclusive naming via the woke pre-commit hook.
9+- Add support for RSA keys with SHA-2 signatures (given corresponding
10+ Twisted support).
11
12 0.1.12 (2021-09-13)
13 ===================
14diff --git a/src/lazr/sshserver/auth.py b/src/lazr/sshserver/auth.py
15index 3d88930..f0dee0e 100644
16--- a/src/lazr/sshserver/auth.py
17+++ b/src/lazr/sshserver/auth.py
18@@ -273,7 +273,7 @@ class SSHUserAuthServer(userauth.SSHUserAuthServer):
19 # Work around a bug in paramiko < 2.0.0: if the most significant
20 # byte of an RSA signature is zero, then it strips leading zero
21 # bytes rather than zero-padding it to the correct length.
22- if algName == b"ssh-rsa":
23+ if algName in (b"ssh-rsa", b"rsa-sha2-256", b"rsa-sha2-512"):
24 signatureType, rawSignature, rest = getNS(signature, 2)
25 pubKeyLen = (pubKey.size() + 7) // 8
26 if len(rawSignature) < pubKeyLen:
27@@ -289,7 +289,7 @@ class SSHUserAuthServer(userauth.SSHUserAuthServer):
28 + NS(self.nextService)
29 + NS(b"publickey")
30 + _bytesChr(hasSig)
31- + NS(pubKey.sshType())
32+ + NS(algName)
33 + NS(blob)
34 )
35 # The next three lines are different from the original.
36@@ -366,7 +366,8 @@ class PublicKeyFromLaunchpadChecker:
37 """Check the key data in credentials against the keys found in LP."""
38 if credentials.algName == b"ssh-dss":
39 wantKeyType = "DSA"
40- elif credentials.algName == b"ssh-rsa":
41+ elif credentials.algName in (
42+ b"ssh-rsa", b"rsa-sha2-256", b"rsa-sha2-512"):
43 wantKeyType = "RSA"
44 elif credentials.algName.startswith(b"ecdsa-sha2-"):
45 wantKeyType = "ECDSA"

Subscribers

People subscribed via source and target branches