[ https://issues.apache.org/jira/browse/SSHD-945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16943402#comment-16943402 ]
Thomas Wolf commented on SSHD-945: ---------------------------------- {quote} org.apache.sshd.common.SshException: DefaultAuthFuture[ssh-connection]: Failed (InvalidKeyException) to execute: The security strength of SHA-1 digest algorithm is not sufficient for this key {quote} is exactly the problem pointed out in https://bugzilla.mindrot.org/show_bug.cgi?id=1647: SHA-1 is 160 bits and is mandated by RFC 4253, but for a DSA2048 key one would need a longer hash (224 or 256bits). Interestingly enough, OpenSSH does work with such keys (if DSA is enabled at all in client and server), and uses SHA256 (client log; OS X, OpenSSH_7.4p1, LibreSSL 2.5.0): {code} ... debug1: Next authentication method: publickey debug1: Offering DSA public key: /Users/thomas/.ssh/id_dsa_2048 debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-dss blen 818 debug2: input_userauth_pk_ok: fp SHA256:usOY30m0OcvF44d+OK0TezJ9xfOoY0c6Fn1lzA+gQ6M debug3: sign_and_send_pubkey: DSA SHA256:usOY30m0OcvF44d+OK0TezJ9xfOoY0c6Fn1lzA+gQ6M debug3: send packet: type 50 debug3: receive packet: type 52 debug1: Authentication succeeded (publickey). ... {code} See https://zonena.me/2014/02/using-2048-bit-dsa-keys-with-openssh/ for how to create a DSA 2048 bit key, and DSA must be enabled in both openSSH client and server ({{PubkeyAcceptedKeyTypes=+ssh-dss}} in the config files). > DSA 2048 public key authentication fails > ---------------------------------------- > > Key: SSHD-945 > URL: https://issues.apache.org/jira/browse/SSHD-945 > Project: MINA SSHD > Issue Type: Bug > Affects Versions: 2.1.0 > Reporter: Logan > Priority: Major > Attachments: DSAKeyTests.java > > > While RSA 1024, 2048 and DSA 1024 keys succeed, DSA 2048 fails with error > trace listed below. I am trying to figure out if the issue is related to DSA > keys generated by JDK or apache SSHD. Attached is the test case. > > Tests with JSch API also fail with DSA 2048 keys. > > Error trace: > {code:java} > org.apache.sshd.common.SshException: No more authentication methods > availableorg.apache.sshd.common.SshException: No more authentication methods > available at > org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:318) > at > org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:254) > at > org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:201) > at > org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:626) > at > org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:559) > at > org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1542) > at > org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:520) > at > org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:63) > at > org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:339) > at > org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:318) > at > org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:315) > at > org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38) > at java.security.AccessController.doPrivileged(Native Method) at > org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37) > at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) at > sun.nio.ch.Invoker$2.run(Invoker.java:218) at > sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748){code} > [^DSAKeyTests.java] -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org