Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XShell 7 新版本修改了 signRequestAgentMsg 报文格式 #89

Open
zzmark opened this issue May 6, 2024 · 8 comments
Open

XShell 7 新版本修改了 signRequestAgentMsg 报文格式 #89

zzmark opened this issue May 6, 2024 · 8 comments

Comments

@zzmark
Copy link

zzmark commented May 6, 2024

xshell 7 可能修改了 agent 协议,或者这个协议版本有所更新(没有具体追踪)

xshell 版本: xshell 7 Build 0157

开启 debug 后有 stderr 日志打印:

agent 13: ssh: parse error in message type 13

断点分析得出,新版本的 signRequestAgentMsg 报文,较标准协议,多出32bit 数据 => {0, 24, 15, 254}
多次尝试,后三个byte不稳定,看不出是什么
旧版本为缺少 Flags 部分,需要补32bit。

个人有个patch,简单粗暴的裁剪后32bit,测试可以使用,没有继续刨根问底。
若可以合并,我去提PR

附上修正前 xshell 日志

[BEGIN] 2024-05-06 19:00:09
[2024-05-06-19:0:9.735] Connection established.
[2024-05-06-19:0:9.735] To escape to local shell, press 'Ctrl+Alt+]'.
[2024-05-06-19:0:9.766] [19:00:09] Version exchange initiated...
[2024-05-06-19:0:9.766] [19:00:09] 	server: SSH-2.0-OpenSSH_8.7
[2024-05-06-19:0:9.766] [19:00:09] 	client: SSH-2.0-nsssh2_7.0.0040 NetSarang Computer, Inc.
[2024-05-06-19:0:9.766] [19:00:09] 	SSH2 is selected.
[2024-05-06-19:0:9.767] [19:00:09] 		Outgoing packet:  20 (0x14: SSH2_MSG_KEXINIT)
[2024-05-06-19:0:9.786] [19:00:09] 		Incoming packet:  20 (0x14: SSH2_MSG_KEXINIT)
[2024-05-06-19:0:9.787] [19:00:09] Algorithm negotiation initiated... (Dialog mode)
[2024-05-06-19:0:9.787] [19:00:09] 	key exchange: [email protected]
[2024-05-06-19:0:9.787] [19:00:09] 	host key: rsa-sha2-256
[2024-05-06-19:0:9.787] [19:00:09] 	outgoing encryption: [email protected]
[2024-05-06-19:0:9.787] [19:00:09] 	incoming encryption: [email protected]
[2024-05-06-19:0:9.787] [19:00:09] 	outgoing mac: [email protected]
[2024-05-06-19:0:9.787] [19:00:09] 	incoming mac: [email protected]
[2024-05-06-19:0:9.787] [19:00:09] 	outgoing compression: none
[2024-05-06-19:0:9.787] [19:00:09] 	incoming compression: none
[2024-05-06-19:0:9.789] [19:00:09] 		Outgoing packet:  30 (0x1e: SSH2_MSG_KEXDH_INIT)
[2024-05-06-19:0:9.819] [19:00:09] 		Incoming packet:  31 (0x1f: SSH2_MSG_KEXDH_REPLY)
[2024-05-06-19:0:9.819] [19:00:09] Host authentication initiated...
[2024-05-06-19:0:9.820] [19:00:09] 	Hostkey fingerprint:
[2024-05-06-19:0:9.820] [19:00:09] 	rsa 3072 84:f4:6d:f9:11:01:21:3a:b5:0a:4f:f1:af:74:f0:67
[2024-05-06-19:0:9.822] [19:00:09] 	Accepted. Verifying host key...
[2024-05-06-19:0:9.822] [19:00:09] 	Verified.
[2024-05-06-19:0:9.822] [19:00:09] 		Outgoing packet:  21 (0x15: SSH2_MSG_NEWKEYS)
[2024-05-06-19:0:9.823] [19:00:09] 		Incoming packet:  21 (0x15: SSH2_MSG_NEWKEYS)
[2024-05-06-19:0:9.823] [19:00:09] 		Outgoing packet:   5 (0x05: SSH2_MSG_SERVICE_REQUEST)
[2024-05-06-19:0:9.823] [19:00:09] 		Incoming packet:   7 (0x07: SSH2_MSG_EXT_INFO)
[2024-05-06-19:0:9.824] [19:00:09] 	server-sig-algs = ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]
[2024-05-06-19:0:9.843] [19:00:09] 		Incoming packet:   6 (0x06: SSH2_MSG_SERVICE_ACCEPT)
[2024-05-06-19:0:9.843] [19:00:09] User authentication initiated... (Dialog mode)
[2024-05-06-19:0:9.843] [19:00:09] 	Sent user name 'root'.
[2024-05-06-19:0:9.844] [19:00:09] 		Outgoing packet:  50 (0x32: SSH2_MSG_USERAUTH_REQUEST)
[2024-05-06-19:0:9.861] [19:00:09] 		Incoming packet:  51 (0x33: SSH2_MSG_USERAUTH_FAILURE)
[2024-05-06-19:0:9.861] [19:00:09] 	Server requested: publickey,gssapi-keyex,gssapi-with-mic
[2024-05-06-19:0:9.862] [19:00:09] 	Server support public key authentication method.
[2024-05-06-19:0:9.862] [19:00:09] 	Trying to find ssh-agent...
[2024-05-06-19:0:9.863] [19:00:09] 	Xagent is running. Connecting to ssh-agent...
[2024-05-06-19:0:9.863] [19:00:09] 	Auth method is agent.
[2024-05-06-19:0:12.468] [19:00:12] 	Received 2 identity-blob(s) from ssh-agent.
[2024-05-06-19:0:12.468] [19:00:12] 	Trying next identity blob...
[2024-05-06-19:0:12.468] [19:00:12] 		Outgoing packet:  50 (0x32: SSH2_MSG_USERAUTH_REQUEST)
[2024-05-06-19:0:12.468] [19:00:12] 	UserKey type: keylen:0
[2024-05-06-19:0:12.484] [19:00:12] 		Incoming packet:  51 (0x33: SSH2_MSG_USERAUTH_FAILURE)
[2024-05-06-19:0:12.484] [19:00:12] 	Server rejected the public blob, 
[2024-05-06-19:0:12.484] [19:00:12] 	Trying next identity blob...
[2024-05-06-19:0:12.484] [19:00:12] 		Outgoing packet:  50 (0x32: SSH2_MSG_USERAUTH_REQUEST)
[2024-05-06-19:0:12.484] [19:00:12] 	UserKey type:ssh-ed25519 keylen:51
[2024-05-06-19:0:12.504] [19:00:12] 		Incoming packet:  60 (0x3c: SSH2_MSG_USERAUTH_PK_OK)
[2024-05-06-19:0:12.504] [19:00:12] 	Received PK_OK packet. Try to send signed key blob.
[2024-05-06-19:0:12.506] [19:00:12] 	Sent sign request to ssh-agent. ssh-ed25519
[2024-05-06-19:0:12.524] [19:00:12] 	Received an empty signature from ssh-agent.
[2024-05-06-19:0:12.524] [19:00:12] 	Trying next identity blob...
[2024-05-06-19:0:12.524] [19:00:12] 		Outgoing packet:  50 (0x32: SSH2_MSG_USERAUTH_REQUEST)
[2024-05-06-19:0:12.524] [19:00:12] 	UserKey type:ecdsa-sha2-nistp256 keylen:104
[2024-05-06-19:0:12.547] [19:00:12] 		Incoming packet:  60 (0x3c: SSH2_MSG_USERAUTH_PK_OK)
[2024-05-06-19:0:12.547] [19:00:12] 	Received PK_OK packet. Try to send signed key blob.
[2024-05-06-19:0:12.547] [19:00:12] 	Sent sign request to ssh-agent. ecdsa-sha2-nistp256
[2024-05-06-19:0:12.568] [19:00:12] 	Received an empty signature from ssh-agent.
[2024-05-06-19:0:12.569] [19:00:12] 	No more keys to try.
[2024-05-06-19:0:12.569] [19:00:12] 	Fall back to normal user authentication steps.
[2024-05-06-19:0:14.873] [19:00:14] 	Canceled.
[2024-05-06-19:0:14.873] [19:00:14] 		Outgoing packet:   1 (0x01: SSH2_MSG_DISCONNECT)
[2024-05-06-19:0:14.911] Connection closing...Socket close.
[2024-05-06-19:0:14.911] 
[2024-05-06-19:0:14.911] Connection closed by foreign host.

[END] 2024-05-06 19:00:14
@lyc8503
Copy link

lyc8503 commented Jun 19, 2024

更新到最新版 XShell 7 Build 0157 后同样遇到无法认证的问题,但是构建了包含以上 Patch 的 WinCryptSSHAgent 仍然无法认证,回退到 Build 0151 解决了问题。

@zzmark
Copy link
Author

zzmark commented Jun 27, 2024

更新到最新版 XShell 7 Build 0157 后同样遇到无法认证的问题,但是构建了包含以上 Patch 的 WinCryptSSHAgent 仍然无法认证,回退到 Build 0151 解决了问题。

奇怪了,我从0157到0164日常使用,还没有问题

@cqjjjzr
Copy link

cqjjjzr commented Jun 28, 2024

Xshell 8 Beta Build 0042 同样有此问题,构建了 Patch 也无法使用。ssh: parse error in message type 13 的消息仍然存在。

看了下 Patch 的代码,xshell.go:176 是否应该是 err != nil 而非 err == nil....

修了之后能跳出智能卡提示了,但插了 Yubikey 后显示如下图。

image

@boypt
Copy link

boypt commented Aug 9, 2024

Xshell 8 Beta Build 0042 同样有此问题,构建了 Patch 也无法使用。ssh: parse error in message type 13 的消息仍然存在。

看了下 Patch 的代码,xshell.go:176 是否应该是 err != nil 而非 err == nil....

修了之后能跳出智能卡提示了,但插了 Yubikey 后显示如下图。

确实 #90 该处逻辑写反,xshell.go:176 应为err != nil

新定义的signRequestAgentMsgXshell7最后一个属性Others uint64不正确,导致xshell.go:176 处报&errors.errorString{s:"ssh: short read"},多出32bit应该匹配一个uint32类型。

修改成uint32后使用系统自带的rsa登陆在xshell 8 beta 0047登陆成功。

没有使用yubikey。

@zzmark
Copy link
Author

zzmark commented Oct 9, 2024

Xshell 8 Beta Build 0042 同样有此问题,构建了 Patch 也无法使用。ssh: parse error in message type 13 的消息仍然存在。
看了下 Patch 的代码,xshell.go:176 是否应该是 err != nil 而非 err == nil....
修了之后能跳出智能卡提示了,但插了 Yubikey 后显示如下图。

确实 #90 该处逻辑写反,xshell.go:176 应为err != nil

新定义的signRequestAgentMsgXshell7最后一个属性Others uint64不正确,导致xshell.go:176 处报&errors.errorString{s:"ssh: short read"},多出32bit应该匹配一个uint32类型。

修改成uint32后使用系统自带的rsa登陆在xshell 8 beta 0047登陆成功。

没有使用yubikey。

看来跟版本关系很大,我想想别的办法扔了后边多余的数据。

@zzmark zzmark closed this as completed Oct 9, 2024
@boypt
Copy link

boypt commented Oct 9, 2024

我本地编译的版本signRequestAgentMsgXshell7改成这样,用了两个月,xshell 8 beta也迭代到正式版了,目前均正常工作。

type signRequestAgentMsgXshell7 struct {
        KeyBlob []byte `sshtype:"13"`
        Data    []byte
        Flags   uint32
        Unknown [4]byte
}

@zzmark
Copy link
Author

zzmark commented Oct 9, 2024

我换了个思路修改

目前已知的情况是,xshell 5 和 早期的 xshell 6,缺少 Flags。
xshell 7 似乎也有缺少 Flags的情况,我使用的版本Flags后边又多出8byte的数据,所以塞个uint64刚好。
刚下了个xshell8,后边多出的是4byte,
由于后边Flags用不到,无需考虑内容,改为计算长度仅保留所需长度的数据。

@zzmark
Copy link
Author

zzmark commented Oct 9, 2024

我本地编译的版本signRequestAgentMsgXshell7改成这样,用了两个月,xshell 8 beta也迭代到正式版了,目前均正常工作。

type signRequestAgentMsgXshell7 struct {
        KeyBlob []byte `sshtype:"13"`
        Data    []byte
        Flags   uint32
        Unknown [4]byte
}

提了个新的版本, 这次通杀 5-8 了
后续只要xshell不改协议,应该没问题

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants