Ian Wienand created SSHD-1141:
---------------------------------
Summary: Implement server-sig-algs
Key: SSHD-1141
URL: https://issues.apache.org/jira/browse/SSHD-1141
Project: MINA SSHD
Issue Type: Improvement
Reporter: Ian Wienand
Mina sshd should implement server-sig-algs to report signature algorithms.
Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per
RFC8332
{quote}When authenticating with an RSA key against a server that does not
implement the "server-sig-algs" extension, clients MAY default to an "ssh-rsa"
signature to avoid authentication penalties.
{quote}
Some distributions, notably Fedora 33, have set default system policy to
disallow insecure algorithms such as ssh-rsa. For full details see discussion
in [SSHD-1118|https://issues.apache.org/jira/browse/SSHD-1118].
For example, connecting to a recent openssh server I see something like
{quote}debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>{quote}
I believe that Mina SSHD does support these more secure signature algorithms,
but because they aren't reported the client won't use them.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
