You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/04/01 18:39:00 UTC
[jira] [Work logged] (SSHD-1141) Implement server-sig-algs
[ https://issues.apache.org/jira/browse/SSHD-1141?focusedWorklogId=575672&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-575672 ]
ASF GitHub Bot logged work on SSHD-1141:
----------------------------------------
Author: ASF GitHub Bot
Created on: 01/Apr/21 18:38
Start Date: 01/Apr/21 18:38
Worklog Time Spent: 10m
Work Description: lgoldstein commented on a change in pull request #186:
URL: https://github.com/apache/mina-sshd/pull/186#discussion_r605868466
##########
File path: sshd-core/src/main/java/org/apache/sshd/client/auth/pubkey/UserAuthPublicKey.java
##########
@@ -105,6 +106,19 @@ protected boolean sendAuthDataRequest(ClientSession session, String service) thr
chosenAlgorithm = null;
} else if (!currentAlgorithms.isEmpty()) {
currentAlgorithm = currentAlgorithms.poll();
+ if (chosenAlgorithm != null) {
+ Set<String> knownServerAlgorithms = session.getAttribute(
+ DefaultClientKexExtensionHandler.SERVER_ALGORITHMS);
+ if (knownServerAlgorithms != null
+ && knownServerAlgorithms.contains(chosenAlgorithm)) {
+ // We've tried key 'current' with 'chosenAlgorithm', but it
+ // failed. However, the server had told us it supported
+ // 'chosenAlgorithm'. Thus it makes no sense to continue
+ // with this key and other signature algorithms. Skip to the
+ // next key, if any.
+ currentAlgorithm = null;
Review comment:
Let's add a DEBUG level log message summarizing this behavior so that user can tell when it occurred.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 575672)
Time Spent: 3h 20m (was: 3h 10m)
> Implement server-sig-algs
> -------------------------
>
> Key: SSHD-1141
> URL: https://issues.apache.org/jira/browse/SSHD-1141
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Ian Wienand
> Assignee: Thomas Wolf
> Priority: Major
> Time Spent: 3h 20m
> Remaining Estimate: 0h
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per RFC8332
> {quote}When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to disallow insecure algorithms such as ssh-rsa. They thus can not find a suitable signature algorithm and fail to log in. Quite a high level of knowledge is required to override the default system cryptography policy, and it can be quite confusing because the user's ssh-key works in many other contexts (against openssh servers, etc.). For full details see discussion in SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info: server-sig-algs=<ss...@openssh.com>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms, but because they aren't reported the client won't use them.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org