You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Clark Boylan (Jira)" <ji...@apache.org> on 2021/10/14 15:36:00 UTC

[jira] [Commented] (SSHD-1141) Implement server-sig-algs

    [ https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428880#comment-17428880 ] 

Clark Boylan commented on SSHD-1141:
------------------------------------

This seems to have corrected MINA client's ability to connect to servers that want to do rsa-sha2-* server-sig-algs. Reading through this issue I'm not sure that this changed anything about MINA server's support for the server-sig-algs key exchange extension in order to enable openssh clients on fedora 33 and now openssh >= version 8.8 to talk to a MINA server with SSH RSA pubkey auth. This is coming up for us again as clients to our Gerrit MINA sshd are updating to openssh 8.8 which has deprecated the ssh-rsa sha1 variant hash.

Thank you for all the help so far. Ultimately MINA will probably want to support server-sig-algs on both sides as a client and a server so the previous work is still helpful. [~twolf] [~lgoldstein] can you double check if the server side work to support server-sig-algs is still missing? Connecting to a MINA sshd using openssh client 8.8 or newer with an SSH RSA key would be one test case.

> Implement server-sig-algs
> -------------------------
>
>                 Key: SSHD-1141
>                 URL: https://issues.apache.org/jira/browse/SSHD-1141
>             Project: MINA SSHD
>          Issue Type: Improvement
>            Reporter: Ian Wienand
>            Assignee: Thomas Wolf
>            Priority: Major
>             Fix For: 2.7.0
>
>          Time Spent: 5h
>  Remaining Estimate: 0h
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per RFC8332
> {quote}When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to disallow insecure algorithms such as ssh-rsa.  They thus can not find a suitable signature algorithm and fail to log in.  Quite a high level of knowledge is required to override the default system cryptography policy, and it can be quite confusing because the user's ssh-key works in many other contexts (against openssh servers, etc.).  For full details see discussion in SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info: server-sig-algs=<ss...@openssh.com>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms, but because they aren't reported the client won't use them.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org