堆栈内存溢出
  简体   繁体   English

在Python中验证ssh-agent签名

[英]Verify ssh-agent signature in Python

 原文  2013-05-26 04:16:30       python/ paramiko/ ssh-agent

问题描述

Python's Paramiko library lets you request that the ssh-agent sign a bit of data for you. Python的Paramiko库允许您请求ssh-agent为您签署一些数据。 That's great! 那很棒! But how do I verify that signature when I only have access to the public key, not the agent? 但是,当我只能访问公钥而不是代理时,如何验证签名? 

from base64 import b64encode
from paramiko.agent import Agent
agent = Agent()
key = agent.get_keys()[0]
sig = key.sign_ssh_data(None, "Hello World!")
print b64encode(sig)
# AAAAB3NzaC1yc2EAAAEAqZFIGxm1Zz3ALeTa2YiiYX2rbr9Cnb3gj4tJj1Fl19sNsRy6UbbauYnmahYWl6mWqhOHJaj0sAtVqPab8U1RiyeZyQB+Bwp0MUal4ZGCmrJxJ7ykVE+BeJnpOxXyutHHV376TXC5l+tx0PjFsylL1vVbBm6J927Nyc/cq1uk0q2QpcRexg0iJ51i1WGyISVvu1PC+g0LmW1dGh2mXTo/fpt+Cu45/hjWpMlcBUg8O60+nkj2jYxxGVh/z7U6zTYrDSJU4hTEveuKG5I38gsaMRBw/YkSIaMtkGNJX36Ybc+/EVolL4Z/NOOCV+kd7WPHjSTf1hVZ02ulTTrnMN4HfA==

I've tried every solution I can come up with. 我已经尝试了我能提出的每一个解决方案。 OpenSSL can't even look at the key I'm using (generated via ssh-keygen): OpenSSL甚至无法查看我正在使用的密钥(通过ssh-keygen生成): 

$ ssh-keygen -f ~/.ssh/testssh.pub -e -m pem > test.pub
$ cat test.pub
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA7Zs6ZyrHk3RpDKv7Kzd7NCU2Qk5k5ajVJvntRPiEukWOIe4CkcBo
B76HSDyPvEDI50DUyebj2Qj77NDX/lh5AhDrVTEmX/Lfzx2iCwgpWwQcu8dgAaN5
qhsCMYOc77d2YykcnbDUhgxus/KiieLnruKmviVdSHoLBs6ygnVEa+8nx+DhJwSB
B3+6gClM89QnKrPYOonj9z4zi+UeWPX9TVwJVOAADnXEC6LCmDCgHDb+FrCaiNT9
d4yam3iZJ2RMQ+ajBj6JWvoig2LdUBI7eSgmrREjjEEskBCNRkD4YmjeT8mfZg9d
FhbGz0CQjnF31jiohIvhABTwcUQnDdrPEQIDAQAB
-----END RSA PUBLIC KEY-----
$ openssl rsa -inform PEM -in test.pub -pubin -text
unable to load Public Key
140735078689212:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: PUBLIC KEY

PyCrypto comes up with a completely different signature for the same data: PyCrypto为相同的数据提供了完全不同的签名: 

from base64 import b64encode
from Crypto.Hash import SHA
from Crypto.PublicKey import RSA
from Crypto.Signature import PKCS1_v1_5

# PyCrypto
key = RSA.importKey(open('.ssh/testssh').read())
signer = PKCS1_v1_5.new(key)
h = SHA.new()
h.update("Hello World!")
sig = signer.sign(h)
print "CRYPTO: %s" % b64encode(sig)
# CRYPTO: qZFIGxm1Zz3ALeTa2YiiYX2rbr9Cnb3gj4tJj1Fl19sNsRy6UbbauYnmahYWl6mWqhOHJaj0sAtVqPab8U1RiyeZyQB+Bwp0MUal4ZGCmrJxJ7ykVE+BeJnpOxXyutHHV376TXC5l+tx0PjFsylL1vVbBm6J927Nyc/cq1uk0q2QpcRexg0iJ51i1WGyISVvu1PC+g0LmW1dGh2mXTo/fpt+Cu45/hjWpMlcBUg8O60+nkj2jYxxGVh/z7U6zTYrDSJU4hTEveuKG5I38gsaMRBw/YkSIaMtkGNJX36Ybc+/EVolL4Z/NOOCV+kd7WPHjSTf1hVZ02ulTTrnMN4HfA==

Obviously, I'm not a crytpologist. 显然,我不是一个哭泣学家。 I've been reading code for the last 12 hours trying to figure out how to verify an ssh-agent signature. 我一直在阅读过去12小时的代码,试图弄清楚如何验证ssh-agent签名。 Is there something painfully obvious I'm missing? 我有什么痛苦明显的遗失吗? What's the "Right" way to do this? 什么是“正确”的方式来做到这一点?

Update 更新

Following the M2Crypto verify process outlined here , I'm getting this error against the ssh-agent's signature: 遵循此处概述的M2Crypto验证过程,我收到了针对ssh-agent签名的错误: 

Traceback (most recent call last):
  File "test.py", line 36, in <module>
    print key.verify(datasha.digest(), agentsig)
  File "/Users/shbeta/virtualenvs/dev/lib/python2.7/site-packages/M2Crypto-0.21.1-py2.7-macosx-10.7-intel.egg/M2Crypto/RSA.py", line 259, in verify
M2Crypto.RSA.RSAError: wrong signature length

Testing against the Crypto-generated signature, however, succeeds. 但是,对加密生成的签名进行测试是成功的。 Is the ssh-agent using a nonstandard signature algorithm? ssh-agent是否使用非标准签名算法?

Update 2: redacted. 更新2:编辑。 I misread. 我误读了。

1 个解决方案

解决方案1
 1 已采纳  2013-05-27 19:18:07

It seems that the general ideas around building an RSA key object from the public SSH key are...not quite accurate. 似乎从公共SSH密钥构建RSA密钥对象的一般想法是......不太准确。 Again, I'm no cryptographer. 再说一遍,我不是密码学家。 But this works: 但这有效: 

from paramiko import Message
from paramiko.rsakey import RSAKey
from sshkey import load_rsa_pub_key
with open('.ssh/testssh.pub') as fh:
  ketype, b64key, _ = fh.next().strip().split(None, 2)
decoded_key = base64.b64decode(b64key)
pkey = RSAKey(data=decoded_key)
psig = Message(agentsig)
print pkey.verify_ssh_sig(plaintext, psig)
# True
print pkey.verify_ssh_sig("bogus", psig)
# False

I'd love to understand why using the converted PEM format didn't work. 我很想知道为什么使用转换的PEM格式不起作用。 Does ssh-keygen dump it incorrectly? ssh-keygen是否错误地转储它?

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用python永久启动ssh-agent? - How to start ssh-agent permantly with python? 如何在ssh代理上使用ssh-agent在ssh代理上并行ssh以便在python中进行身份验证? - how to parallel ssh over ssh proxy with ssh-agent for authentication in python? 激活 virtualenvwrapper 并在登录时运行 ssh-agent - Activate virtualenvwrapper and run ssh-agent on login 在没有登录的情况下使用ssh-agent - using ssh-agent without login ssh-agent ssh-add OK in user not in sudo - ssh-agent ssh-add ok in user not in sudo Paramiko 或 sshtunnel 和 ssh-agent 无需输入密码 - Paramiko or sshtunnel and ssh-agent without entering passphrase 如何在ssh-agent中使用boto.manage.cmdshell? - How to use boto.manage.cmdshell with ssh-agent? 如何解决“paramiko.ssh_exception.SSHException:无法从ssh-agent获取密钥” - How to solve "paramiko.ssh_exception.SSHException: could not get keys from ssh-agent" Python ECDSA 无法验证签名 - Python ECDSA failing to verify signature Python、paramiko 和转发代理 ssh - Python, paramiko and forward agent ssh
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM