[ https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17305364#comment-17305364 ]
Lyor Goldstein commented on SSHD-1141: -------------------------------------- Agree - this is clearly stated in RFC 8308 {quote} Neither party needs to wait for the other's SSH_MSG_KEXINIT in order to decide whether to send the appropriate indicator in its own SSH_MSG_KEXINIT. {quote} > Implement server-sig-algs > ------------------------- > > Key: SSHD-1141 > URL: https://issues.apache.org/jira/browse/SSHD-1141 > Project: MINA SSHD > Issue Type: Improvement > Reporter: Ian Wienand > Priority: Major > > Mina sshd should implement server-sig-algs to report signature algorithms. > Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per > RFC8332 > {quote}When authenticating with an RSA key against a server that does not > implement the "server-sig-algs" extension, clients MAY default to an > "ssh-rsa" signature to avoid authentication penalties. > {quote} > Some distributions, notably Fedora 33, have set default system policy to > disallow insecure algorithms such as ssh-rsa. They thus can not find a > suitable signature algorithm and fail to log in. Quite a high level of > knowledge is required to override the default system cryptography policy, and > it can be quite confusing because the user's ssh-key works in many other > contexts (against openssh servers, etc.). For full details see discussion in > SSHD-1118. > For example, connecting to a recent openssh server I see something like > {quote}debug1: kex_input_ext_info: > server-sig-algs=<ssh-ed25519,sk-ssh-ed25...@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com> > {quote} > I believe that Mina SSHD does support these more secure signature algorithms, > but because they aren't reported the client won't use them. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org