[ https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306891#comment-17306891 ]
Lyor Goldstein commented on SSHD-1141: -------------------------------------- {quote} It doesn't matter if the server returns a different algorithm (as long as it returns the same key). {quote} And that it has used SHA-2... - I agree with your assessment... > Implement server-sig-algs > ------------------------- > > Key: SSHD-1141 > URL: https://issues.apache.org/jira/browse/SSHD-1141 > Project: MINA SSHD > Issue Type: Improvement > Reporter: Ian Wienand > Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > Mina sshd should implement server-sig-algs to report signature algorithms. > Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per > RFC8332 > {quote}When authenticating with an RSA key against a server that does not > implement the "server-sig-algs" extension, clients MAY default to an > "ssh-rsa" signature to avoid authentication penalties. > {quote} > Some distributions, notably Fedora 33, have set default system policy to > disallow insecure algorithms such as ssh-rsa. They thus can not find a > suitable signature algorithm and fail to log in. Quite a high level of > knowledge is required to override the default system cryptography policy, and > it can be quite confusing because the user's ssh-key works in many other > contexts (against openssh servers, etc.). For full details see discussion in > SSHD-1118. > For example, connecting to a recent openssh server I see something like > {quote}debug1: kex_input_ext_info: > server-sig-algs=<ssh-ed25519,sk-ssh-ed25...@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com> > {quote} > I believe that Mina SSHD does support these more secure signature algorithms, > but because they aren't reported the client won't use them. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org