[jira] [Commented] (SSHD-945) DSA 2048 public key authentication fails

Thu, 03 Oct 2019 01:04:25 -0700 


    [ 
https://issues.apache.org/jira/browse/SSHD-945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16943402#comment-16943402
 ] 

Thomas Wolf commented on SSHD-945:
----------------------------------

{quote}
org.apache.sshd.common.SshException: DefaultAuthFuture[ssh-connection]: Failed 
(InvalidKeyException) to execute: The security strength of SHA-1 digest 
algorithm is not sufficient for this key
{quote}

is exactly the problem pointed out in 
https://bugzilla.mindrot.org/show_bug.cgi?id=1647: SHA-1 is 160 bits and is 
mandated by RFC 4253, but for a DSA2048 key one would need a longer hash (224 
or 256bits).

Interestingly enough, OpenSSH does work with such keys (if DSA is enabled at 
all in client and server), and uses SHA256 (client log; OS X, OpenSSH_7.4p1, 
LibreSSL 2.5.0):
{code}
...
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /Users/thomas/.ssh/id_dsa_2048
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-dss blen 818
debug2: input_userauth_pk_ok: fp 
SHA256:usOY30m0OcvF44d+OK0TezJ9xfOoY0c6Fn1lzA+gQ6M
debug3: sign_and_send_pubkey: DSA 
SHA256:usOY30m0OcvF44d+OK0TezJ9xfOoY0c6Fn1lzA+gQ6M
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
...
{code}

See https://zonena.me/2014/02/using-2048-bit-dsa-keys-with-openssh/ for how to 
create a DSA 2048 bit key, and DSA must be enabled in both openSSH client and 
server ({{PubkeyAcceptedKeyTypes=+ssh-dss}} in the config files).

> DSA 2048 public key authentication fails
> ----------------------------------------
>
>                 Key: SSHD-945
>                 URL: https://issues.apache.org/jira/browse/SSHD-945
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.1.0
>            Reporter: Logan
>            Priority: Major
>         Attachments: DSAKeyTests.java
>
>
> While RSA 1024, 2048 and DSA 1024 keys succeed, DSA 2048 fails with error 
> trace listed below. I am trying to figure out if the issue is related to DSA 
> keys generated by JDK or apache SSHD. Attached is the test case. 
>  
> Tests with JSch API also fail with DSA 2048 keys.
>  
> Error trace:
> {code:java}
> org.apache.sshd.common.SshException: No more authentication methods 
> availableorg.apache.sshd.common.SshException: No more authentication methods 
> available at 
> org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:318)
>  at 
> org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:254)
>  at 
> org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:201)
>  at 
> org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:626)
>  at 
> org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:559)
>  at 
> org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1542)
>  at 
> org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:520)
>  at 
> org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:63)
>  at 
> org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:339)
>  at 
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:318)
>  at 
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:315)
>  at 
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
>  at java.security.AccessController.doPrivileged(Native Method) at 
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
>  at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) at 
> sun.nio.ch.Invoker$2.run(Invoker.java:218) at 
> sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
>  at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748){code}
> [^DSAKeyTests.java]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to