You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Thomas Wolf (Jira)" <ji...@apache.org> on 2021/04/08 10:51:00 UTC

[jira] [Commented] (SSHD-1141) Implement server-sig-algs

    [ https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17317087#comment-17317087 ] 

Thomas Wolf commented on SSHD-1141:
-----------------------------------

Client-side this appears to be fixed:

* Use all configured signature algorithms (SSHD-1105).
* If a server announces server-sig-algs, try the announced algorithms first. (Changes done for this issue 1141.)
* If neither helps, the client would need to re-order signature algorithms, placing ssh-rsa first. In openSSH (and in JGit) this can be done via ssh config {{PubkeyAcceptedKeyTypes}} (or {{PubkeyAcceptedAlgorithms}} since openSSH 8.5).

Closing this now. [~iwienand], did you have more in mind?

> Implement server-sig-algs
> -------------------------
>
>                 Key: SSHD-1141
>                 URL: https://issues.apache.org/jira/browse/SSHD-1141
>             Project: MINA SSHD
>          Issue Type: Improvement
>            Reporter: Ian Wienand
>            Assignee: Thomas Wolf
>            Priority: Major
>          Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per RFC8332
> {quote}When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to disallow insecure algorithms such as ssh-rsa.  They thus can not find a suitable signature algorithm and fail to log in.  Quite a high level of knowledge is required to override the default system cryptography policy, and it can be quite confusing because the user's ssh-key works in many other contexts (against openssh servers, etc.).  For full details see discussion in SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info: server-sig-algs=<ss...@openssh.com>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms, but because they aren't reported the client won't use them.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org