[
https://issues.apache.org/jira/browse/SSHD-1142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303670#comment-17303670
]
Lyor Goldstein edited comment on SSHD-1142 at 3/17/21, 7:10 PM:
----------------------------------------------------------------
yes and no - please note that there are +2+ MAC/cipher/compressions being
negotiated - one for data from client to server and the other for the other way
around. While you can influence one of them (depending on whether you are the
client or the server), the other is chosen by the peer according to its
preferences. I strongly recommend re-reading [RFC 4253 - section 7.1 -
Algorithm Negotiation|https://tools.ietf.org/html/rfc4253#section-7.1]
{quote}
The chosen MAC algorithm MUST be the first algorithm on the client's name-list
that is also on the server's name-list.
{quote}
Which means that even if you place MAC1 to be 1st on the server side, it might
not be chosen if the client declares MAC2 to be its most be preferred (assuming
it is also on the server's list). This is because the +client+ ultimately
chooses what to use out of the server's declared preferences/capabilities
was (Author: lgoldstein):
yes and no - please note that there are +2+ MAC/cipher/compressions being
negotiated - one for data from client to server and the other for the other way
around. While you can influence one of them (depending on whether you are the
client or the server), the other is chosen by the peer according to its
preferences. I strongly recommend re-reading [RFC 4253 - section 7.1 -
Algorithm Negotiation|https://tools.ietf.org/html/rfc4253#section-7.1]
> To pick up Mac/Cipher preferred values out of the default list
> --------------------------------------------------------------
>
> Key: SSHD-1142
> URL: https://issues.apache.org/jira/browse/SSHD-1142
> Project: MINA SSHD
> Issue Type: Question
> Reporter: Susmit Sarkar
> Priority: Blocker
>
> Hello Lyor,
> I want to use a preferred value while configuring sftp adapter for both
> cipher and mac algos:
> System.out.println(sshd.getMacFactories());
> [[email protected], [email protected],
> [email protected], hmac-sha2-256, hmac-sha2-512, hmac-sha1, hmac-md5,
> hmac-sha1-96, hmac-md5-96]
> Now if the customer wants a preferred value of *hmac-md5* how can I give it
> priority compared to all other default ciphers?
> sshd.setMacFactoriesNames(Arrays.asList("hmac-md5"));
> This only sets to hmac-md5, but the list should contain all only the hmac-md5
> will be in the priority order 1
> *[ hmac-md5]*
> [https://github.com/apache/mina-sshd/blob/master/docs/server-setup.md#configuring-ciphers-macs-digest]
> *One can configure other security components using built-in factories the
> same way. It is important to remember though that the order of the factories
> is important as it affects the key exchange phase where the client and server
> decide what options to use out of each peer's reported preferences.*
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
