SSH publickey-hostbound method doesn't work?

[AlexanderPavlenko]

https://www.openssh.com/agent-restrict.html#authverify

openssh-server 1:8.9p1-3 arm64

debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
...
debug1: Server accepts key: /.../id_krypton.pub RSA SHA256:rLDF...9hr8 explicit agent
debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with RSA SHA256:rLDF...9hr8
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:rLDF...9hr8
sign_and_send_pubkey: signing failed for RSA "/.../id_krypton.pub" from agent: agent refused operation

vs.

openssh-server 1:8.2p1-4ubuntu0.1 amd64

debug1: Server accepts key: /.../id_krypton.pub RSA SHA256:rLDF...9hr8 explicit agent
debug3: sign_and_send_pubkey: using publickey with RSA SHA256:rLDF...9hr8
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:rLDF...9hr8
Krypton ▶ Requesting SSH authentication from phone
Krypton ▶ Success. Request Allowed ✔

[andriisemenov-emma]

Same here OpenSSL 3.0.2
Is there any solution?

[cheahjs]

Looking into this, unfortunately with how things are architected, this requires an update to the mobile apps as well.

Currently the daemon is failing to parse the signature payload as the agent restriction change modified the payload to include an additional server host key field. ssh.Unmarshal errors out if after unmarshaling there is still data in the buffer. This can be fixed with

type signaturePayload struct {
	Session []byte
	Type    byte
	User    string
	Service string
	Method  string
	Sign    bool
	Algo    []byte
	PubKey  []byte
	// OpenSSH 8.9 modifies the struct, use the "rest" tag to either take an empty slice on older versions, or the host key on newer versions
	ServerHostKey  []byte `ssh:"rest"`
}

However, the daemon<>app protocol attempts to optimise the payload that is sent over the wire, so the public key is omitted from the signature payload, and the mobile app is responsible for appending the key to the payload to be signed.

https://github.com/kryptco/krypton-android/blob/37e97026e48e0123ab580793a2c19674e96ecc4e/app/src/main/java/co/krypt/krypton/crypto/EdSSHKeyPair.java#L77-L91

This is problematic with agent restriction, as the new server host key comes after the public key, which means without changes to the mobile apps, it is not possible to get the apps to sign the correct payload.

The new Akamai akr tool doesn't suffer from this as it treats the signature payload as an opaque blob to sign.