You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Ian Wienand (Jira)" <ji...@apache.org> on 2021/03/12 03:31:00 UTC
[jira] [Updated] (SSHD-1141) Implement server-sig-algs
[ https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ian Wienand updated SSHD-1141:
------------------------------
Description:
Mina sshd should implement server-sig-algs to report signature algorithms.
Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per RFC8332
{quote}When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties.
{quote}
Some distributions, notably Fedora 33, have set default system policy to disallow insecure algorithms such as ssh-rsa. They thus can not find a suitable signature algorithm and fail to log in. Quite a high level of knowledge is required to override the default system cryptography policy, and it can be quite confusing because the user's ssh-key works in many other contexts (against openssh servers, etc.). For full details see discussion in SSHD-1118.
For example, connecting to a recent openssh server I see something like
{quote}debug1: kex_input_ext_info: server-sig-algs=<ss...@openssh.com>
{quote}
I believe that Mina SSHD does support these more secure signature algorithms, but because they aren't reported the client won't use them.
was:
Mina sshd should implement server-sig-algs to report signature algorithms.
Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per RFC8332
{quote}When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties.
{quote}
Some distributions, notably Fedora 33, have set default system policy to disallow insecure algorithms such as ssh-rsa. For full details see discussion in [SSHD-1118|https://issues.apache.org/jira/browse/SSHD-1118].
For example, connecting to a recent openssh server I see something like
{quote}debug1: kex_input_ext_info: server-sig-algs=<ss...@openssh.com>{quote}
I believe that Mina SSHD does support these more secure signature algorithms, but because they aren't reported the client won't use them.
> Implement server-sig-algs
> -------------------------
>
> Key: SSHD-1141
> URL: https://issues.apache.org/jira/browse/SSHD-1141
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Ian Wienand
> Priority: Major
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per RFC8332
> {quote}When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to disallow insecure algorithms such as ssh-rsa. They thus can not find a suitable signature algorithm and fail to log in. Quite a high level of knowledge is required to override the default system cryptography policy, and it can be quite confusing because the user's ssh-key works in many other contexts (against openssh servers, etc.). For full details see discussion in SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info: server-sig-algs=<ss...@openssh.com>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms, but because they aren't reported the client won't use them.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org