Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Recognize LANcom LCOS software and support ed448 key extraction #277

Conversation

dlenskiSB
Copy link
Contributor

(Re-creation of arthepsy/ssh-audit#51 after realizing that project is defunct and this one has advanced much further 😄)

LANcom router devices appear to be primarily used in Germany (see [1]
for examples on the public Internet), and they appear to support the
ssh-ed448 key type which is documented in [2], but which has never
been supported by any as-yet-released version of OpenSSH.

[1] https://www.shodan.io/search?query=ssh+%22ed448%22
[2] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format

@@ -52,6 +52,9 @@ class HostKeyTest:

'ssh-ed25519': {'cert': False, 'variable_key_len': False},
'[email protected]': {'cert': True, 'variable_key_len': False},

'ssh-ed448': {'cert': False, 'variable_key_len': False},
# '[email protected]': {'cert': True, 'variable_key_len': False},
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've never actually seen this key type anywhere in the wild, so I'm hesitant to include it here.

@dlenskiSB
Copy link
Contributor Author

Should a special case for .startswith('ssh-ed448') be added here as well?

if host_key_type.startswith('ssh-ed25519') or host_key_type.startswith('ecdsa-sha2-nistp'):
hostkey_min_good = 256
hostkey_min_warn = 224
hostkey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING
if ca_key_type.startswith('ssh-ed25519') or ca_key_type.startswith('ecdsa-sha2-nistp'):
cakey_min_good = 256
cakey_min_warn = 224
cakey_warn_str = HostKeyTest.SMALL_ECC_MODULUS_WARNING

@@ -157,6 +157,7 @@ def perform_test(out: 'OutputBuffer', s: 'SSH_Socket', server_kex: 'SSH2_Kex', k
ca_key_type = kex_group.get_ca_type()
ca_modulus_size = kex_group.get_ca_size()
out.d("Hostkey type: [%s]; hostkey size: %u; CA type: [%s]; CA modulus size: %u" % (host_key_type, hostkey_modulus_size, ca_key_type, ca_modulus_size), write_now=True)
out.d("Raw hostkey bytes (%d): [%s]" % (len(raw_hostkey_bytes), raw_hostkey_bytes.hex()), write_now=True)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Elsewhere, this repo uses binascii.hexlify, but since the built-in bytes.hex has existed since 3.5, I figure it's fine to switch to that here.

@dlenskiSB
Copy link
Contributor Author

Excerpts of the relevant output for a publicly-visible server. Should be easy to find other examples as I describe in the 3361b17 commit message, but I figure I ought not to spam this particular server's address all over GitHub. 😅

$ python3 ssh-audit.py -d2 --skip-rate-test W.X.Y.Z
…
Parsing host key type: ssh-ed448
ssh-ed448 has a fixed host key modulus of 57.
Hostkey type: [ssh-ed448]; hostkey size: 448; CA type: []; CA modulus size: 0
Raw hostkey bytes (74): [000000097373682d656434343800000039..................................................................................................................]
…
(gen) banner: SSH-2.0-lancom
(gen) software: LANcom LCOS sshd
(gen) compatibility: OpenSSH 7.4+ (some functionality from 6.6), Dropbear SSH 2020.79+
(gen) compression: enabled (zlib)
…
(key) ssh-ed448                             -- [fail] using small 448-bit modulus
                                            `- [info] described in RFC8709 but never implemented in OpenSSH
…
# fingerprints
(fin) ssh-ed25519: SHA256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(fin) ssh-ed448: SHA256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
…

@jtesta
Copy link
Owner

jtesta commented Jul 5, 2024

@dlenskiSB : I provided feedback on one part of this PR. Looks good otherwise.

src/ssh_audit/ssh2_kexdb.py Outdated Show resolved Hide resolved
…y type

LANcom router devices appear to be primarily used in Germany (see [1]
for examples on the public Internet), and they appear to support the
`ssh-ed448` key type which is documented in [2], but which has never
been supported by any as-yet-released version of OpenSSH.

[1] https://www.shodan.io/search?query=ssh+%22ed448%22
[2] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
@dlenskiSB dlenskiSB force-pushed the recognize_LANcom_and_support_Ed448_key_extraction branch from 3361b17 to c9769b3 Compare July 5, 2024 18:57
@dlenskiSB dlenskiSB requested a review from jtesta July 5, 2024 18:58
@jtesta jtesta merged commit bbbdf71 into jtesta:master Jul 7, 2024
5 checks passed
@jtesta
Copy link
Owner

jtesta commented Jul 7, 2024

Merged. Thanks for submitting this!

dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 10, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

See also jtesta/ssh-audit#277 in which I extended
`ssh-audit` to allow it to scan and discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 10, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

See also jtesta/ssh-audit#277 in which I extended
`ssh-audit` to allow it to scan and discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 16, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

See also jtesta/ssh-audit#277 in which I extended
`ssh-audit` to allow it to scan and discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 16, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

See also jtesta/ssh-audit#277 in which I extended
`ssh-audit` to allow it to scan and discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 16, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

See also jtesta/ssh-audit#277 in which I extended
`ssh-audit` to allow it to scan and discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 16, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

See also jtesta/ssh-audit#277 in which I extended
`ssh-audit` to allow it to scan and discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 17, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

Ed448 private keys are not yet implemented here, because OpenSSH itself does
not yet support them, and it is the de facto authority for private key
formats.  However, PuTTY has already implemented support for generating and
using Ed448 keys, and the PuTTY developers note in [3] that the OpenSSH
developers are in agreement with them as to the correct Ed448 private key
format:

> I checked with them [OpenSSH developers], and they agreed that there's an
> obviously right format for Ed448 keys, which is to do them exactly like
> Ed25519 except that you have a 57-byte string everywhere Ed25519 had a
> 32-byte string.  So I've done that.

See also [4] in which I extended `ssh-audit` to allow it to scan and
discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
[3] github/putty@a085acb
[4] jtesta/ssh-audit#277
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 18, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

Ed448 private keys are not yet implemented here, because OpenSSH itself does
not yet support them, and it is the de facto authority for private key
formats.  However, PuTTY has already implemented support for generating and
using Ed448 keys, and the PuTTY developers note in [3] that the OpenSSH
developers are in agreement with them as to the correct Ed448 private key
format:

> I checked with them [OpenSSH developers], and they agreed that there's an
> obviously right format for Ed448 keys, which is to do them exactly like
> Ed25519 except that you have a 57-byte string everywhere Ed25519 had a
> 32-byte string.  So I've done that.

See also [4] in which I extended `ssh-audit` to allow it to scan and
discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
[3] github/putty@a085acb
[4] jtesta/ssh-audit#277
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 18, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

Ed448 private keys are not yet implemented here, because OpenSSH itself does
not yet support them, and it is the de facto authority for private key
formats.  However, PuTTY has already implemented support for generating and
using Ed448 keys, and the PuTTY developers note in [3] that the OpenSSH
developers are in agreement with them as to the correct Ed448 private key
format:

> I checked with them [OpenSSH developers], and they agreed that there's an
> obviously right format for Ed448 keys, which is to do them exactly like
> Ed25519 except that you have a 57-byte string everywhere Ed25519 had a
> 32-byte string.  So I've done that.

See also [4] in which I extended `ssh-audit` to allow it to scan and
discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
[3] github/putty@a085acb
[4] jtesta/ssh-audit#277
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 18, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

Ed448 private keys are not yet implemented here, because OpenSSH itself does
not yet support them, and it is the de facto authority for private key
formats.  However, PuTTY has already implemented support for generating and
using Ed448 keys, and the PuTTY developers note in [3] that the OpenSSH
developers are in agreement with them as to the correct Ed448 private key
format:

> I checked with them [OpenSSH developers], and they agreed that there's an
> obviously right format for Ed448 keys, which is to do them exactly like
> Ed25519 except that you have a 57-byte string everywhere Ed25519 had a
> 32-byte string.  So I've done that.

See also [4] in which I extended `ssh-audit` to allow it to scan and
discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
[3] github/putty@a085acb
[4] jtesta/ssh-audit#277
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 18, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

Ed448 private keys are not yet implemented here, because OpenSSH itself does
not yet support them, and it is the de facto authority for private key
formats.  However, PuTTY has already implemented support for generating and
using Ed448 keys, and the PuTTY developers note in [3] that the OpenSSH
developers are in agreement with them as to the correct Ed448 private key
format:

> I checked with them [OpenSSH developers], and they agreed that there's an
> obviously right format for Ed448 keys, which is to do them exactly like
> Ed25519 except that you have a 57-byte string everywhere Ed25519 had a
> 32-byte string.  So I've done that.

See also [4] in which I extended `ssh-audit` to allow it to scan and
discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
[3] github/putty@a085acb
[4] jtesta/ssh-audit#277
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 18, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

Ed448 private keys are not yet implemented here, because OpenSSH itself does
not yet support them, and it is the de facto authority for private key
formats.  However, PuTTY has already implemented support for generating and
using Ed448 keys, and the PuTTY developers note in [3] that the OpenSSH
developers are in agreement with them as to the correct Ed448 private key
format:

> I checked with them [OpenSSH developers], and they agreed that there's an
> obviously right format for Ed448 keys, which is to do them exactly like
> Ed25519 except that you have a 57-byte string everywhere Ed25519 had a
> 32-byte string.  So I've done that.

See also [4] in which I extended `ssh-audit` to allow it to scan and
discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
[3] github/putty@a085acb
[4] jtesta/ssh-audit#277
dlenskiSB added a commit to dlenskiSB/cryptography that referenced this pull request Jul 18, 2024
The 'ssh-ed448' key type is documented along with 'ssh-ed25519' in [1], but
has never been supported by any as-yet-released version of OpenSSH.

However, LANcom router devices (which appear to be primarily used in
Germany, see [2] for examples on the public Internet) appear to support
these keys, so this library can and should support loading them.

Ed448 private keys are not yet implemented here, because OpenSSH itself does
not yet support them, and it is the de facto authority for private key
formats.  However, PuTTY has already implemented support for generating and
using Ed448 keys, and the PuTTY developers note in [3] that the OpenSSH
developers are in agreement with them as to the correct Ed448 private key
format:

> I checked with them [OpenSSH developers], and they agreed that there's an
> obviously right format for Ed448 keys, which is to do them exactly like
> Ed25519 except that you have a 57-byte string everywhere Ed25519 had a
> 32-byte string.  So I've done that.

See also [4] in which I extended `ssh-audit` to allow it to scan and
discover host keys of type 'ssh-ed488'.

[1] https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format
[2] https://www.shodan.io/search?query=ssh+%22ed448%22
[3] github/putty@a085acb
[4] jtesta/ssh-audit#277
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants