Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to allow Warpgate to use rsa-sha/rsa-dss host keys #1150

Open
budachst opened this issue Nov 28, 2024 · 7 comments
Open

Option to allow Warpgate to use rsa-sha/rsa-dss host keys #1150

budachst opened this issue Nov 28, 2024 · 7 comments

Comments

@budachst
Copy link

Now, that Warpgate allows insecure algos when connecting to old hosts, there's one more issue, when trying to access very old systems: these systems also most often cannot cope with Warpgate's own rsa2 host key, as shown in this example:

Nov 28 08:22:49 id-test sshd[6272]: userauth_pubkey: unsupported public key algorithm: ssh-ed25519
Nov 28 08:22:49 id-test sshd[6272]: userauth_pubkey: unsupported public key algorithm: rsa-sha2-256
Nov 28 08:22:49 id-test sshd[6272]: Received disconnect from XXX.XXX.XXX.XXX

It would be great to enable Warpgate to use rsa-sha/rsh-dss host keys when connecting to targets, which have been configured to allow insecure algos.
@codyro
Copy link

codyro commented Nov 28, 2024

This opens up a foot gun for individuals who don't understand the implications of using the wrong or insecure key from WarpGate.

If the developer intends to add this, the UX needs to be very clear that these keys are only to be used in very specific instances (e.g., very legacy hardware).

I understand the need for this—I also have some problematic old network gear. It’s just a scary notion, as many end users don’t fully understand the risks of such things.

@budachst
Copy link
Author

I understand your sentiment, but limiting the use of Warpgate for that reason is beyond me. In the end the risk is on the target side anyway - it's where you need to be cautious of what connections you allow or not. And you'd only switch to insecure algos if you'd need them right now as well, so that itself has to be a conscious decision.

@codyro
Copy link

codyro commented Nov 28, 2024
edited
Loading

I concur. I was concerned that how it's presented (or implemented) matters significantly in this case. For instance, if it automatically generated keys using insecure algos and presented them to the user on the same page as the RSA/ED25519 keys without an unambiguous warning, it asks for trouble (people mindlessly copy keys they have no business using).

@Eugeny
Copy link
Member

Eugeny commented Nov 28, 2024

For RSA key auth, the hash algorithm is not a part of key definition, so "ssh-rsa key" and "rsa-sha2-512 key" are just the same key, the only difference is in the signature algorithm.

@Eugeny
Copy link
Member

Eugeny commented Nov 28, 2024

This issue should have actually been fixed as it's essentially same as #983 - could you test the nightly please?

@budachst
Copy link
Author

Will do and report back tomorrow.

@budachst
Copy link
Author

I checked the latest nightly and the issue still persists:

Nov 29 08:21:11 id-test sshd[9538]: userauth_pubkey: unsupported public key algorithm: ssh-ed25519
Nov 29 08:21:11 id-test sshd[9538]: userauth_pubkey: unsupported public key algorithm: rsa-sha2-256
Nov 29 08:21:11 id-test sshd[9538]: Received disconnect from XXX.XXX.XXX.XXX: 11:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Eugeny @codyro @budachst