可以检查服务器是否接受私钥,仅基于其公钥吗?

huangapple go评论70阅读模式
英文:

Is it possible to check whether a server would accept a private key, based on having only its public key?

问题

我理解了。

英文:

I am currently writing a tool which will be used to determine whether any of the servers that I manage currently trust any SSH private keys which are known to be compromised.

I don't want to store the compromised SSH private keys on the hosts that will do this scanning.

Is there a way to determine whether a remote SSH server accepts a private key, based only on its public key?

When using ssh -vvv, there is some information that hints towards it being possible, however I'm not sure how:

debug1: Next authentication method: publickey
debug1: Offering public key: /Users/opera_user/.ssh/id_rsa RSA SHA256:bZ2lxtUybH426ogDCGzZ3/HzbYaIsZ3rC69jgXBa3Ig
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/opera_user/.ssh/id_rsa RSA SHA256:bZ2lxtUybH426ogDCGzZ3/HzbYaIsZ3rC69jgXBa3Ig

Is there a programmatic way to do this?

答案1

得分: 2

协议允许这样做,但OpenSSH不允许。为了使用公钥进行身份验证,客户端首先通过连接发送公钥,并询问服务器是否接受它。如果接受,然后客户端使用私钥签署适当的数据,包括会话哈希(从密钥协议生成),然后发送签名。

发生这种情况的原因是因为一个人可以拥有多个公钥,这些公钥可能已加密或存储在安全密钥上,因此最好避免需要提示输入多个密码或PIN码。

然而,OpenSSH没有提供一种扫描以查看密钥是否有效的方法。您需要一个可以执行此操作的库。Paramiko是Python的一个库,Go有一个SSH库,而libssh可用于与C进行接口的任何内容。但是,我不知道它们是否在客户端端提供此功能(我知道libssh在服务器端提供此功能),但可以根据相关API来确定它们是否可以执行此操作。

英文:

The protocol allows this, but OpenSSH does not. In order to authenticate with a public key, the client first sends the public key over the connection and asks if the server would accept it. If it does, then the client signs the appropriate data with the private key, including the session hash (which is generated from the key agreement), and sends the signature.

The reason this occurs is because one can have multiple public keys, which may or may not be encrypted or on a security key, and it's beneficial to avoid needing to prompt for multiple passphrases or PINs.

However, OpenSSH doesn't offer a way to scan to see if the key is valid. You would need a library which can do this. Paramiko is a library for Python, Go has an SSH library, and libssh is available for anything that can interface with C. I don't know, however, if they offer this functionality on the client side (I know libssh does for the server side), but it should be relatively easy to see if they can in fact perform this based on the API in question.

huangapple
  • 本文由 发表于 2023年5月11日 02:47:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/76221709.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定