You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Thomas Wolf (Jira)" <ji...@apache.org> on 2021/04/08 10:51:00 UTC
[jira] [Commented] (SSHD-1141) Implement server-sig-algs
[ https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17317087#comment-17317087 ]
Thomas Wolf commented on SSHD-1141:
-----------------------------------
Client-side this appears to be fixed:
* Use all configured signature algorithms (SSHD-1105).
* If a server announces server-sig-algs, try the announced algorithms first. (Changes done for this issue 1141.)
* If neither helps, the client would need to re-order signature algorithms, placing ssh-rsa first. In openSSH (and in JGit) this can be done via ssh config {{PubkeyAcceptedKeyTypes}} (or {{PubkeyAcceptedAlgorithms}} since openSSH 8.5).
Closing this now. [~iwienand], did you have more in mind?
> Implement server-sig-algs
> -------------------------
>
> Key: SSHD-1141
> URL: https://issues.apache.org/jira/browse/SSHD-1141
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Ian Wienand
> Assignee: Thomas Wolf
> Priority: Major
> Time Spent: 4h 40m
> Remaining Estimate: 0h
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per RFC8332
> {quote}When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to disallow insecure algorithms such as ssh-rsa. They thus can not find a suitable signature algorithm and fail to log in. Quite a high level of knowledge is required to override the default system cryptography policy, and it can be quite confusing because the user's ssh-key works in many other contexts (against openssh servers, etc.). For full details see discussion in SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info: server-sig-algs=<ss...@openssh.com>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms, but because they aren't reported the client won't use them.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org