[
https://issues.apache.org/jira/browse/SSHD-945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16943455#comment-16943455
]
Thomas Wolf commented on SSHD-945:
----------------------------------
Sorry, I mis-interpreted that bit:
{quote}
{code:java}
debug2: input_userauth_pk_ok: fp
SHA256:usOY30m0OcvF44d+OK0TezJ9xfOoY0c6Fn1lzA+gQ6M
debug3: sign_and_send_pubkey: DSA
SHA256:usOY30m0OcvF44d+OK0TezJ9xfOoY0c6Fn1lzA+gQ6M
{code}
{quote}
This SHA256 is just the hash of the DSA key.
Running the test again with server-side logging and then looking at the code of
OpenSSH, it looks as if OpenSSH actually uses the DSA 2048 key but with a
160bit SHA1 signature hash. The server goes through
*
[userauth_pubkey|https://github.com/openssh/openssh-portable/blob/be02d7c/auth2-pubkey.c#L213]
*
[sshkey_verify|https://github.com/openssh/openssh-portable/blob/be02d7c/sshkey.c#L2662]
*
[ssh_dss_verify|https://github.com/openssh/openssh-portable/blob/be02d7c/ssh-dss.c#L120]
where SHA1 and 160bits are hardcoded.
So it uses something it shouldn't use at all.
sshd is in fact correct to complain that "the security strength of SHA-1 digest
algorithm is not sufficient for this key".
> DSA 2048 public key authentication fails
> ----------------------------------------
>
> Key: SSHD-945
> URL: https://issues.apache.org/jira/browse/SSHD-945
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.1.0
> Reporter: Logan
> Priority: Major
> Attachments: DSAKeyTests.java
>
>
> While RSA 1024, 2048 and DSA 1024 keys succeed, DSA 2048 fails with error
> trace listed below. I am trying to figure out if the issue is related to DSA
> keys generated by JDK or apache SSHD. Attached is the test case.
>
> Tests with JSch API also fail with DSA 2048 keys.
>
> Error trace:
> {code:java}
> org.apache.sshd.common.SshException: No more authentication methods
> availableorg.apache.sshd.common.SshException: No more authentication methods
> available at
> org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:318)
> at
> org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:254)
> at
> org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:201)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:626)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:559)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1542)
> at
> org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:520)
> at
> org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:63)
> at
> org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:339)
> at
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:318)
> at
> org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:315)
> at
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
> at java.security.AccessController.doPrivileged(Native Method) at
> org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
> at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) at
> sun.nio.ch.Invoker$2.run(Invoker.java:218) at
> sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748){code}
> [^DSAKeyTests.java]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
