[jira] [Commented] (SSHD-1141) Implement server-sig-algs

Fri, 12 Mar 2021 00:07:21 -0800 


    [ 
https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17300130#comment-17300130
 ] 

Lyor Goldstein commented on SSHD-1141:
--------------------------------------

[~iwienand] I don't have an exact timeline for when we will get around to doing 
this, but I believe the current code already contains hooks put in place for 
KEX extension negotiation that you can probably use to implement this if you 
are willing to do so. This way we can kill 2 birds with 1 stone - you can get a 
solution for this issue faster and we can gain a contribution to the MINA SSHD 
code - something we encourage our users to do...

> Implement server-sig-algs
> -------------------------
>
>                 Key: SSHD-1141
>                 URL: https://issues.apache.org/jira/browse/SSHD-1141
>             Project: MINA SSHD
>          Issue Type: Improvement
>            Reporter: Ian Wienand
>            Priority: Major
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per 
> RFC8332
> {quote}When authenticating with an RSA key against a server that does not 
> implement the "server-sig-algs" extension, clients MAY default to an 
> "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to 
> disallow insecure algorithms such as ssh-rsa.  They thus can not find a 
> suitable signature algorithm and fail to log in.  Quite a high level of 
> knowledge is required to override the default system cryptography policy, and 
> it can be quite confusing because the user's ssh-key works in many other 
> contexts (against openssh servers, etc.).  For full details see discussion in 
> SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info: 
> server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms, 
> but because they aren't reported the client won't use them.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to