[
https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17305201#comment-17305201
]
Thomas Wolf commented on SSHD-1141:
-----------------------------------
This is actually implemented for the client side in
{{DefaultClientKexExtensionHandler}}. If set via
{{client.setKexExtensionHandler()}}, it should do something. But I don't think
it does the right thing.
It does:
# Delay the KEX_INIT until the server-side KEX_INIT has been received.
# Add the client's ext-info-c only if the server sent his ext-info-s.
# On reception of server-sig-algs, update the client's PubkeyAcceptedAlgorithms
for this session in ways I didn't analyze.
(1) is necessary only because of (2), but (2) is not what RFC 8308 says. Both
sides can just add their ext-info-c or ext-info-s, it means "I want to receive
your SSH_MSG_EXT_INFO if you have any". So a client may send ext-info-c to tell
the server it's prepared to deal with SSH_MSG_EXT_INFO even if the server
doesn't care about clients sending that message and thus never sends
ext-info-s. So (1) also would not be necessary.
When connecting to github.com, an sshd client even with
{{DefaultClientKexExtensionHandler}} set never sends ext-info-c and thus never
gets server-sig-algs. So (1) and (2) appear to be wrong.
What basically should happen in (3) and a pubkey auth afterwards is that the
algorithms chosen for a key (in the client-defined order) get re-arranged such
that algorithms announced via server-sig-algs come before unannounced
algorithms, both still in client order. Don't know if the existing code would
do that; it's too complex for me.
> Implement server-sig-algs
> -------------------------
>
> Key: SSHD-1141
> URL: https://issues.apache.org/jira/browse/SSHD-1141
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Ian Wienand
> Priority: Major
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per
> RFC8332
> {quote}When authenticating with an RSA key against a server that does not
> implement the "server-sig-algs" extension, clients MAY default to an
> "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to
> disallow insecure algorithms such as ssh-rsa. They thus can not find a
> suitable signature algorithm and fail to log in. Quite a high level of
> knowledge is required to override the default system cryptography policy, and
> it can be quite confusing because the user's ssh-key works in many other
> contexts (against openssh servers, etc.). For full details see discussion in
> SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info:
> server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms,
> but because they aren't reported the client won't use them.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
