You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Thomas Wolf (Jira)" <ji...@apache.org> on 2021/12/20 12:43:00 UTC

[jira] [Resolved] (SSHD-1231) Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)

     [ https://issues.apache.org/jira/browse/SSHD-1231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Wolf resolved SSHD-1231.
-------------------------------
    Fix Version/s: 2.8.1
         Assignee: Thomas Wolf
       Resolution: Fixed

> Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)
> ----------------------------------------------------------------------------------------------
>
>                 Key: SSHD-1231
>                 URL: https://issues.apache.org/jira/browse/SSHD-1231
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.7.0, 2.8.0
>            Reporter: Thomas Wolf
>            Assignee: Thomas Wolf
>            Priority: Major
>             Fix For: 2.8.1
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> See [Eclipse bug 577545|https://bugs.eclipse.org/bugs/show_bug.cgi?id=577545]. The following scenario
> # Client tries authenticating with a wrong RSA key with signature rsa-sha2-512
> # Server rejects the authentication attempt
> # Client tries the next key (an ed25519 key), but unfortunately with the wrong signature algorithm (ss-rsa)
> authentication fails with
> {noformat}
> Exception in thread "main" org.apache.sshd.common.SshException: DefaultAuthFuture[ssh-connection]: Failed (InvalidKeyException) to execute: Supplied key (net.i2p.crypto.eddsa.EdDSAPrivateKey) is not a RSAPrivateKey instance
> 	at org.apache.sshd.common.future.AbstractSshFuture.lambda$verifyResult$1(AbstractSshFuture.java:131)
> 	at org.apache.sshd.common.future.AbstractSshFuture.formatExceptionMessage(AbstractSshFuture.java:185)
> 	at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:130)
> 	at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
> 	at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
> 	at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:43)
> 	at ch.paranor.thomas.TestClient.testAuth(TestClient.java:44)
> 	at ch.paranor.thomas.TestClient.main(TestClient.java:58)
> Caused by: java.security.InvalidKeyException: Supplied key (net.i2p.crypto.eddsa.EdDSAPrivateKey) is not a RSAPrivateKey instance
> 	at org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineInitSign(Unknown Source)
> 	at java.security.Signature$Delegate.engineInitSign(Signature.java:1177)
> 	at java.security.Signature.initSign(Signature.java:530)
> 	at org.apache.sshd.common.signature.AbstractSignature.initSigner(AbstractSignature.java:104)
> 	at org.apache.sshd.client.auth.pubkey.KeyPairIdentity.sign(KeyPairIdentity.java:81)
> 	at org.apache.sshd.client.auth.pubkey.UserAuthPublicKey.appendSignature(UserAuthPublicKey.java:363)
> 	at org.apache.sshd.client.auth.pubkey.UserAuthPublicKey.processAuthDataRequest(UserAuthPublicKey.java:333)
> {noformat}
> Work-arounds:
> * Place RSA keys last in the sequence of keys to be tried
> * Or ensure only actually working keys are used



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org