You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/10/17 00:33:01 UTC
[jira] [Work logged] (SSHD-1216) Implement RFC 8332 server-sig-algs
on the server
[ https://issues.apache.org/jira/browse/SSHD-1216?focusedWorklogId=665786&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-665786 ]
ASF GitHub Bot logged work on SSHD-1216:
----------------------------------------
Author: ASF GitHub Bot
Created on: 17/Oct/21 00:32
Start Date: 17/Oct/21 00:32
Worklog Time Spent: 10m
Work Description: tomaswolf commented on pull request #204:
URL: https://github.com/apache/mina-sshd/pull/204#issuecomment-944997065
Thanks for double-checking, @benhumphreys .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 665786)
Remaining Estimate: 0h
Time Spent: 10m
> Implement RFC 8332 server-sig-algs on the server
> ------------------------------------------------
>
> Key: SSHD-1216
> URL: https://issues.apache.org/jira/browse/SSHD-1216
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Ben Humphreys
> Assignee: Thomas Wolf
> Priority: Major
> Fix For: 2.7.1
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In the recently released [OpenSSH 8.8|https://www.openssh.com/txt/release-8.8] for RSA keys the public key signature algorithm that depends on SHA-1 has been disabled by default:
> {quote}This release disables RSA signatures using the SHA-1 hash algorithm 2by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix 4hash collisions for <USD$50K [1]
> {quote}
> As a result OpenSSH 8.8 clients are unable to authenticate with Mina SSHD servers with RSA based keys (it is however possible to reenable ssh-rsa). OpenSSH since 7.2 does however support RFC 8332 RSA/SHA-256/512 signatures, indeed the release notes go on to say:
> {quote}
> For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.
> {quote}
> It appears Mina SSHD partly implements support for RFC 8332, indeed the client code appears to support it (see SSHD-1141). However the server appears to lack full support because it doesn't full implement the"server-sig-algs" extension.
> The basic framework for supporting this seems to be present, specifically {{AbstractKexFactoryManager.setKexExtensionHandler()}} could perhaps permit such a "server-sig-algs" extension.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org