You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Ian Wienand (Jira)" <ji...@apache.org> on 2021/03/12 03:23:00 UTC

[jira] [Created] (SSHD-1141) Implement server-sig-algs

Ian Wienand created SSHD-1141:
---------------------------------

             Summary: Implement server-sig-algs
                 Key: SSHD-1141
                 URL: https://issues.apache.org/jira/browse/SSHD-1141
             Project: MINA SSHD
          Issue Type: Improvement
            Reporter: Ian Wienand


Mina sshd should implement server-sig-algs to report signature algorithms.

Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per RFC8332
{quote}When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties.
{quote}

Some distributions, notably Fedora 33, have set default system policy to disallow insecure algorithms such as ssh-rsa.  For full details see discussion in [SSHD-1118|https://issues.apache.org/jira/browse/SSHD-1118].

For example, connecting to a recent openssh server I see something like

{quote}debug1: kex_input_ext_info: server-sig-algs=<ss...@openssh.com>{quote}

I believe that Mina SSHD does support these more secure signature algorithms, but because they aren't reported the client won't use them.




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org