You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Klaus Nguetsa (Jira)" <ji...@apache.org> on 2022/04/04 14:10:00 UTC

[jira] [Updated] (SSHD-1259) DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in known_hosts

     [ https://issues.apache.org/jira/browse/SSHD-1259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Klaus Nguetsa updated SSHD-1259:
--------------------------------
    Summary: DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in known_hosts  (was: DefaultKnownHostsServerKeyVerifier not checking all Key algorithms)

> DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in known_hosts
> -----------------------------------------------------------------------------------------
>
>                 Key: SSHD-1259
>                 URL: https://issues.apache.org/jira/browse/SSHD-1259
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.8.0
>            Reporter: Klaus Nguetsa
>            Priority: Major
>
> Hello everyone,
> Assuming I have the following known_hosts file containing twice the public key of the same host but with different algorithms.:
>  
> {code:java}
> lserver1 ssh-dss XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> #
> lserver1 ecdsa-sha2-nistp256 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{code}
>  
>  
> During the connection when I use DefaultKnownHostsServerKeyVerifier  to verify the keys, if the target host presents a ecdsa-sha2-nistp256 key, the verification will fail because DefaultKnownHostsServerKeyVerifier  seems to match to the first occurence of the hostname in the know_host file. Therefore It will match the key _lserver1 ssh-dss XXXXXXXXXXXX..._ and the comparison to the same key but with ecdsa-sha2-nistp256 algorithm presented by the target host will fail. Shouldn't it iterate through the file until the right combination (hostname, algorithm) is found?  This way it could check with lserver1 ecdsa-sha2-nistp256 XXXX..... instead of lserver1 ssh-dss XXXXX......
> This works fine with openssh. 
> Thanks
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org