我正在编写一个内部管理系统,该系统也需要实现SSH代理。到目前为止,我已经正确实现了SSH_AGENTC_REQUEST_IDENTITIES
和SSH_AGENT_IDENTITIES_ANSWER
,这导致SSH按照https://tools.ietf.org/id/draft-miller-ssh-agent-00.html发送SSH_AGENTC_SIGN_REQUEST
我遇到的问题是弄清楚如何签署请求,这时我只需要支持ssh-rsa
即可。我已经尝试按照https://tools.ietf.org/html/rfc4253实现此功能,但似乎无法生成可以验证身份的回复。
根据我对本规范的了解,需要使用SSH_AGENTC_SIGN_REQUEST
对RSASSA-PKCS1-v1_5
消息的整个数据部分进行签名
这是接收请求的代码
if msgType == SSH_AGENTC_SIGN_REQUEST:
blobLen = struct.unpack('!I', sock.recv(4))[0]
blob = sock.recv(blobLen)
dataLen = struct.unpack('!I', sock.recv(4))[0]
data = sock.recv(dataLen)
flags = struct.unpack('!I', sock.recv(4))[0]
print("blob: %s\ndata: %s\n flags: %d" % (blob, data, flags))
if base64.b64decode(server["public_key"]) != blob:
sock.sendall(struct.pack('!IB', 1, SSH_AGENT_FAILURE))
continue
signed = rpc.root.signSSHData(server_id, data)
if not signed:
sock.sendall(struct.pack('!IB', 1, SSH_AGENT_FAILURE))
continue
buff = bytearray()
buff.extend(struct.pack('!B', SSH_AGENT_SIGN_RESPONSE))
packBytes(buff, bytes("ssh-rsa", "UTF-8"))
packBytes(buff, signed)
head = struct.pack('!I', len(buff))
sock.sendall(head);
sock.sendall(buff);
这是
rpc.root.signSSHData
的来源: def exposed_signSSHData(self, server_id, data):
query = "SELECT private_key FROM servers WHERE deleted = 0 AND id = %s LIMIT 1"
cursor = self.core.getDBC().cursor()
cursor.execute(query, (server_id, ))
row = cursor.fetchone();
if row is None:
cursor.close()
return False
key = self.core.decryptData(row[0])
key = RSA.importKey(key);
h = SHA.new(data)
signer = PKCS1_v1_5.new(key)
return signer.sign(h)
更新1:我相信我可能已经知道了,似乎
data
是RFC4252中定义的SSH_MSG_USERAUTH_REQUEST
。我将更新我的应用程序,并查看进展情况。 最佳答案
我找到了解决方案,答复的格式不正确,下面是正确的代码:
if msgType == SSH_AGENTC_SIGN_REQUEST:
blobLen = struct.unpack('!I', sock.recv(4))[0]
blob = sock.recv(blobLen)
dataLen = struct.unpack('!I', sock.recv(4))[0]
data = sock.recv(dataLen)
flags = struct.unpack('!I', sock.recv(4))[0]
if base64.b64decode(server["public_key"]) != blob:
sock.sendall(struct.pack('!IB', 1, SSH_AGENT_FAILURE))
continue
sig = rpc.root.signSSHData(server_id, data);
if not sig:
sock.sendall(struct.pack('!IB', 1, SSH_AGENT_FAILURE))
continue
signature = bytearray()
packBytes(signature, bytes("ssh-rsa", "UTF-8"))
packBytes(signature, sig)
buff = bytearray()
buff.extend(struct.pack('!B', SSH_AGENT_SIGN_RESPONSE))
packBytes(buff, signature)
head = struct.pack('!I', len(buff))
sock.sendall(head);
sock.sendall(buff);
continue