You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Lyor Goldstein (Jira)" <ji...@apache.org> on 2021/03/12 08:07:00 UTC

[jira] [Commented] (SSHD-1141) Implement server-sig-algs

    [ https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17300130#comment-17300130 ] 

Lyor Goldstein commented on SSHD-1141:
--------------------------------------

[~iwienand] I don't have an exact timeline for when we will get around to doing this, but I believe the current code already contains hooks put in place for KEX extension negotiation that you can probably use to implement this if you are willing to do so. This way we can kill 2 birds with 1 stone - you can get a solution for this issue faster and we can gain a contribution to the MINA SSHD code - something we encourage our users to do...

> Implement server-sig-algs
> -------------------------
>
>                 Key: SSHD-1141
>                 URL: https://issues.apache.org/jira/browse/SSHD-1141
>             Project: MINA SSHD
>          Issue Type: Improvement
>            Reporter: Ian Wienand
>            Priority: Major
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per RFC8332
> {quote}When authenticating with an RSA key against a server that does not implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to disallow insecure algorithms such as ssh-rsa.  They thus can not find a suitable signature algorithm and fail to log in.  Quite a high level of knowledge is required to override the default system cryptography policy, and it can be quite confusing because the user's ssh-key works in many other contexts (against openssh servers, etc.).  For full details see discussion in SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info: server-sig-algs=<ss...@openssh.com>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms, but because they aren't reported the client won't use them.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org