You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/05/08 14:07:00 UTC
[jira] [Work logged] (SSHD-1264) different host key algorithm used on rekey than used for the initial connection
[ https://issues.apache.org/jira/browse/SSHD-1264?focusedWorklogId=767688&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-767688 ]
ASF GitHub Bot logged work on SSHD-1264:
----------------------------------------
Author: ASF GitHub Bot
Created on: 08/May/22 14:06
Start Date: 08/May/22 14:06
Worklog Time Spent: 10m
Work Description: tomaswolf merged PR #221:
URL: https://github.com/apache/mina-sshd/pull/221
Issue Time Tracking
-------------------
Worklog Id: (was: 767688)
Time Spent: 20m (was: 10m)
> different host key algorithm used on rekey than used for the initial connection
> -------------------------------------------------------------------------------
>
> Key: SSHD-1264
> URL: https://issues.apache.org/jira/browse/SSHD-1264
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.8.0
> Reporter: James Nord
> Assignee: Thomas Wolf
> Priority: Major
> Attachments: sshd_log.txt
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> when using mina as an ssh client to connect to an open ssh server the host key algorithm that is negotiated on the initial connection can have a different algorithm than the one used in a rekey.
> This causes an issue as connections can be terminated if the initial host key type is in the known hosts, (say ecdsa) but the subsequent on (rsa) is not.
> once connected the same host key algorithm should be used in any subsequent re-key events.
> (see log attached from SSHD)
> Note: this is easyish to see by setting opensshd server config `RekeyLimit default 10` which will cause a rekey after 10 seconds on a data event.
> e.g.
> {noformat}
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
> debug1: kex: host key algorithm: rsa-sha2-512 {noformat}
> shows the flop from an agreed exchange of {{ecdsa-sha2-nistp256}} to {{rsa-sha2-512}}
> the end result is that if the rsa key is not known then the connection is killed
> {{o.a.s.c.k.KnownHostsServerKeyVerifier#acceptModifiedServerKey: acceptModifiedServerKey(ClientSessionImpl[jenkins@localhost/127.0.0.1:22]) mismatched keys presented by localhost/127.0.0.1:22 for entry=localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNZDNvKiE7VBVWziZUlICIpIEMhVy0nL3y2hHYRQGMOaWWPajP86ucgwgeXAWmJOxr4bqMtC9tF0vC1W2l8wYPM=: expected=ecdsa-sha2-nistp256-SHA256:x5TMcz4T6ggPxxSbx6gfTzk8US6CLuxgmqXNXedu+6w, actual=ssh-rsa-SHA256:W60YQsFuMkHf0flHrJFR31lvyYm7Y6BkEMkqHUTOpZQ}}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org