The Nest
Explore
58
Pure-Rust asynchronous SSH library, both client and server

#52 bug: constraints fail to parse

Opened by fintohaps on September 16, 2021
fintohaps on September 16, 2021

I realised while working on top of my patches that trying to add an identity was failing to go through on the ssh-agent. I was able to confirm on the current state of the repository that it’s the same behaviour.

You can reproduce this by creating the following file under thrussh-keys/examples/add-identity.rs:

use thrussh_keys::agent::{
    Constraint, client::AgentClient,
};
use thrussh_keys::key;

#[tokio::main]
async fn main() {
    let (pk, sk) = key::ed25519::keypair();
    let sk = key::KeyPair::Ed25519(sk);
    let mut client = AgentClient::connect_env().await.unwrap();
    client
        .add_identity(&sk, &[Constraint::KeyLifetime { seconds: 5 }])
        .await
        .unwrap()
}

If you start ssh-agent in debug mode, i.e. ssh-agent -d and then run cargo run --example add-identity you’ll see the following in the output of the ssh-agent:

debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 25
debug2: process_add_identity: entering
parse_key_constraints: Unknown constraint 0
process_add_identity: failed to parse constraints
fintohaps added a change on September 16, 2021
Do not encode number of constraints. As discovered when using thrussh in tandem with ssh-agent, when trying to add a key with constraints it would fail to parse on the ssh-agent. It was discovered that this was due to the length of the constraints being encoded. Instead of doing this we simply push them onto the buffer since they are the last thing to go onto the buffer. On the server side, it simply reads the constraints until it reaches the end. It was also discovered that the server code never added the constraints to the KeyStore. This is also rectified in this patch.
7RARZAIC5KX5KNIM4F2DUBRK5XGVVO64DKKBA4V4WLM2VTAPDTKAC