Interop lsh and SSH-2.0-GitLab-SSHD

To: ietf-ssh%netbsd.org@localhost
Subject: Interop lsh and SSH-2.0-GitLab-SSHD
From: Niels Möller <nisse%lysator.liu.se@localhost>
Date: Thu, 05 Oct 2023 17:19:37 +0200

Hi,

is anyone on this list involved with, or has experience with, gitlab's
custom sshd? Announced here
https://about.gitlab.com/blog/2022/08/17/why-we-have-implemented-our-own-sshd-solution-on-gitlab-sass/
and advertising itself as SSH-2.0-GitLab-SSHD when I connect to
gitlab.com.

When connecting to gitlab.com using lsh stopped working quite long ago,
I assumed it was just because lsh was lagging support for current
algorithms. I've been trying to fix that. I added support for hostkeys
using rsa-sha2-256 (RFC 8332) a while ago (as well as kex and mac
algorithms using sha256 rather than sha1). That let me connect, but I
couldn't authenticate. I guessed that was due to missing support for
rsa-sha2-256 userauth, so I didn't immediately debug that.

But now I have implemented rsa-sha2-256 also for userauth. I've
successfully tested interop with "SSH-2.0-OpenSSH_9.1 FreeBSD-20230719",
and I'm testing with a particular 3072-bit RSA key. The only unusual
thing with the key, as far as I can tell, is that the "e" value is a
randomly selected 32-bit number, not just 17 or 65537.

I send a SSH_MSG_USERAUTH_REQUEST with "publickey", algorithm name
"rsa-sha2-256", and signature included right away. With "ssh-rsa" in the
key blob, and "rsa-sha2-256" in the signature blob.

But authenticating in the same way to gitlab.com still fails. The
curious thing is that the server appears to just close the connection, I
don't get any SSH_MSG_USERAUTH_FAILURE, not even a SSH_MSG_DISCONNECT.
So either the server is experiencing some kind of crash/exception/panic
(if I understood it right, it's implemented in golang). Or it is rather
impolite in not reporting errors to my client.

If I instead send a SSH_MSG_USERAUTH_REQUEST with method "none" (to
query for supported methods), I get a proper SSH_MSG_USERAUTH_FAILURE in
response, listing "publickey" as authentications that can continue.

Are you aware of any issues with this server? Also any relevant contact
information is appreciated (on or off list).

Regards,
/Niels

--
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.

Follow-Ups:
- Re: Interop lsh and SSH-2.0-GitLab-SSHD
  - From: Peter Gutmann
- Re: Interop lsh and SSH-2.0-GitLab-SSHD
  - From: Mouse

Prev by Date: Re: agent draft updated
Next by Date: Re: Interop lsh and SSH-2.0-GitLab-SSHD
Previous by Thread: agent draft updated
Next by Thread: Re: Interop lsh and SSH-2.0-GitLab-SSHD
Indexes:

Home | Main Index | Thread Index | Old Index