mirror of
http://galexander.org/git/simplesshd.git
synced 2025-01-27 15:30:56 +00:00
fix "Non-matching signing type"
This commit is contained in:
parent
e948d1cb12
commit
a382cafacc
37
NOTES
37
NOTES
@ -1292,9 +1292,44 @@ one that looks relevant is "scoped storage enforcement", which is just
|
||||
the /sdcard nightmare that we've known all along is getting worse.
|
||||
|
||||
|
||||
January 17, 2021.
|
||||
|
||||
I have had a little luck today... I tested a little with
|
||||
requestLegacyExternalStorage and API 29, on an emulated Android 11, and
|
||||
it seems to work. Users will likely need to use the new "Enable /sdcard"
|
||||
menu option.
|
||||
|
||||
Also, it turns out to be trivial to honor the MY_PACKAGE_REPLACED
|
||||
(package upgrade) intent using the same receiver as BOOT_COMPLETED, which
|
||||
is going to be great for people going forward.
|
||||
|
||||
I have been banging on the problem people have reported with
|
||||
"Non-matching signing type." with older versions of OpenSSH. I've been
|
||||
told it's the OpenSSH 7.2p2 that ships stock with Ubuntu 16.04 and Mint
|
||||
18.3. Rich D did the legwork and found it is probably
|
||||
https://svn.dd-wrt.com/ticket/7179
|
||||
|
||||
There is a new check for expect_sigtype != sigtype in dropbear 2020.81.
|
||||
The fix the dd-wrt guys came up with is simply to disable that check if
|
||||
expect_sigtype == DROPBEAR_SIGNATURE_RSA_SHA256. I don't like simply
|
||||
disabling the check, because I don't know what the role of the check is.
|
||||
I don't want to be a blind fool.
|
||||
|
||||
It sounds like there's one protocol string "ssh-rsa" that can also be
|
||||
used to represent "rsa-sha2-256". I did not bother to trace through how
|
||||
that string gets converted into these numeric values. But at the bottom
|
||||
of http://lists.openwrt.org/pipermail/openwrt-devel/2020-July/030200.html
|
||||
it says the actual signature is DROPBEAR_SIGNATURE_RSA_SHA1. This makes
|
||||
sense from grepping around the dropbear source:
|
||||
|
||||
{"rsa-sha2-256", DROPBEAR_SIGNATURE_RSA_SHA256, NULL, 1, NULL},
|
||||
{"ssh-rsa", DROPBEAR_SIGNATURE_RSA_SHA1, NULL, 1, NULL},
|
||||
DROPBEAR_SIGNATURE_RSA_SHA1 = 100, /* ssh-rsa signature (sha1) */
|
||||
DROPBEAR_SIGNATURE_RSA_SHA256 = 101, /* rsa-sha2-256 signature. has a ssh-rsa key */
|
||||
|
||||
So confusion between those two sounds likely to me.
|
||||
|
||||
|
||||
XXX - Rich D has problem with ssh-rsa key "Exit before auth from <192.168.10.123:58978>:(user 'user', 0 fails): Non-matching signing type" but ssh -vvv on other side says "debug1: Authentication succeeded (publickey)." before it notices the remote closed the connection. client is mint 18.3 (https://svn.dd-wrt.com/changeset/44047)
|
||||
XXX - when i am forced to upgrade to SDK 30, request MANAGE_EXTERNAL_STORAGE permission
|
||||
XXX - Vitalii suggests giving an error message for unrecognized key types (ed25519) that are encountered in authorized_keys, so the user doesn't have to stab in the dark
|
||||
XXX - on android 6 (duckling moto g2), the notification is white-on-white?
|
||||
|
@ -221,7 +221,7 @@ harmless.
|
||||
<h2>Change Log</h2>
|
||||
|
||||
<ul>
|
||||
<li> <b>2021/01/XXX Version 27:</b> New approach to accessing /sdcard. Automatically re-start on package upgrade if Start on Boot enabled.
|
||||
<li> <b>2021/01/XXX Version 27:</b> New approach to accessing /sdcard. Automatically re-start on package upgrade if Start on Boot enabled. Fix "Non-matching signing type" error with older ssh clients.
|
||||
<li> <b>2020/12/29 Version 26:</b> Fix ed25519 host key creation.
|
||||
<li> <b>2020/12/29 Version 25:</b> Fix compatibility with WinSCP. Update to upstream Dropbear 2020.81 -- adding ed25519 support!
|
||||
<li> <b>2020/01/01 Version 24:</b> Fix crash with "Start on Open" on Android 9. New TV icon. Improve performance.
|
||||
|
@ -657,7 +657,13 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
|
||||
sigtype = signature_type_from_name(type_name, type_name_len);
|
||||
m_free(type_name);
|
||||
|
||||
if (expect_sigtype != sigtype) {
|
||||
if (((expect_sigtype == DROPBEAR_SIGNATURE_RSA_SHA256) &&
|
||||
(sigtype == DROPBEAR_SIGNATURE_RSA_SHA1)) ||
|
||||
((expect_sigtype == DROPBEAR_SIGNATURE_RSA_SHA1) &&
|
||||
(sigtype == DROPBEAR_SIGNATURE_RSA_SHA256))) {
|
||||
/* ignore mismatch between different flavors of ssh-rsa
|
||||
* - Greg 2021/01/17 */
|
||||
} else if (expect_sigtype != sigtype) {
|
||||
dropbear_exit("Non-matching signing type");
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user