You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mina.apache.org by lg...@apache.org on 2020/08/01 08:10:46 UTC
[mina-sshd] 04/06: [SSHD-1004] Allow ssh-rsa signatures
This is an automated email from the ASF dual-hosted git repository.
lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 14f72e63ece27ddc4f561dcdea5750bcf769092b
Author: Lyor Goldstein <lg...@apache.org>
AuthorDate: Sat Aug 1 09:52:34 2020 +0300
[SSHD-1004] Allow ssh-rsa signatures
---
README.md | 4 ++++
.../main/java/org/apache/sshd/common/BaseBuilder.java | 19 ++++++++++---------
.../java/org/apache/sshd/DefaultSetupTestSupport.java | 3 +--
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/README.md b/README.md
index 564d7a4..2c2ed98 100644
--- a/README.md
+++ b/README.md
@@ -92,6 +92,10 @@ the unsafe settings must do so **explicitly**. The following settings have been
This means that users that encounter this (and related) problems must modify the supported security settings
**explicitly** in order to avoid the issue.
+**Special notice:** `ssh-rsa` was left in as part of the default setup since there are still a lot of systems / users
+using it. However, in future version it will be removed from the default. We therefore strongly encourage users to migrate
+to other keys (e.g. ECDSA, ED25519) as soon as possible.
+
# [Release notes](./CHANGES.md)
# Core requirements
diff --git a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
index 9c6f71f..2e0eae1 100644
--- a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
+++ b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java
@@ -117,20 +117,21 @@ public class BaseBuilder<T extends AbstractFactoryManager, S extends BaseBuilder
*/
public static final List<BuiltinSignatures> DEFAULT_SIGNATURE_PREFERENCE = Collections.unmodifiableList(
Arrays.asList(
+ BuiltinSignatures.rsaSHA512,
+ BuiltinSignatures.rsaSHA256,
+ BuiltinSignatures.nistp256,
+ BuiltinSignatures.nistp384,
+ BuiltinSignatures.nistp521,
+ BuiltinSignatures.ed25519,
+ BuiltinSignatures.rsa,
+ BuiltinSignatures.rsaSHA512_cert,
+ BuiltinSignatures.rsaSHA256_cert,
BuiltinSignatures.nistp256_cert,
BuiltinSignatures.nistp384_cert,
BuiltinSignatures.nistp521_cert,
BuiltinSignatures.ed25519_cert,
- BuiltinSignatures.rsaSHA512_cert,
- BuiltinSignatures.rsaSHA256_cert,
- BuiltinSignatures.nistp256,
- BuiltinSignatures.nistp384,
- BuiltinSignatures.nistp521,
BuiltinSignatures.sk_ecdsa_sha2_nistp256,
- BuiltinSignatures.ed25519,
- BuiltinSignatures.sk_ssh_ed25519,
- BuiltinSignatures.rsaSHA512,
- BuiltinSignatures.rsaSHA256));
+ BuiltinSignatures.sk_ssh_ed25519));
public static final UnknownChannelReferenceHandler DEFAULT_UNKNOWN_CHANNEL_REFERENCE_HANDLER
= DefaultUnknownChannelReferenceHandler.INSTANCE;
diff --git a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
index 351f3e9..451d620 100644
--- a/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
+++ b/sshd-core/src/test/java/org/apache/sshd/DefaultSetupTestSupport.java
@@ -95,8 +95,7 @@ public abstract class DefaultSetupTestSupport<M extends AbstractFactoryManager>
@Test // SSHD-1004
public void testNoDeprecatedSignatures() {
assertNoDeprecatedFactoryInstanceNames(Cipher.class.getSimpleName(),
- EnumSet.of(BuiltinSignatures.rsa, BuiltinSignatures.rsa_cert, BuiltinSignatures.dsa,
- BuiltinSignatures.dsa_cert),
+ EnumSet.of(BuiltinSignatures.dsa, BuiltinSignatures.rsa_cert, BuiltinSignatures.dsa_cert),
factory.getSignatureFactories());
}