You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "tomaswolf (via GitHub)" <gi...@apache.org> on 2023/05/05 11:30:48 UTC

[GitHub] [mina-sshd] tomaswolf commented on pull request #368: [SSHD-1259] Match key type in known_hosts lookup and prefer already trusted host key algorithms

tomaswolf commented on PR #368:
URL: https://github.com/apache/mina-sshd/pull/368#issuecomment-1536123507

I don't think this is correct.

First, the client has already sent its KEX proposal, with a different list. The server-sig-algs KEX extension message can arrive only after the server has received the client's KEX proposal, and that includes ext-info-c.

Second, server-sig-algs is signature algorithms, not key types. But known_hosts records key types. So for RSA keys, they might not match. (Key type "ssh-rsa", signature algorithm for instance "rsa-sha2-512".)

In JGit, we've implemented this "prefer already known keys" in `ClientSession.resolveAvailableSignaturesProposal()`, and we make sure to add all three RSA signature algorithm names at the front if ssh-rsa is a known host key type.

Getting the order wrong in the KEX proposal may lead to hard to track down negotiation failures such as [Eclipse bug 574635](https://bugs.eclipse.org/bugs/show_bug.cgi?id=574635).

--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org