[
https://issues.apache.org/jira/browse/SSHD-1141?focusedWorklogId=570613&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-570613
]
ASF GitHub Bot logged work on SSHD-1141:
----------------------------------------
Author: ASF GitHub Bot
Created on: 23/Mar/21 16:19
Start Date: 23/Mar/21 16:19
Worklog Time Spent: 10m
Work Description: lgoldstein commented on a change in pull request #184:
URL: https://github.com/apache/mina-sshd/pull/184#discussion_r599724723
##########
File path:
sshd-core/src/main/java/org/apache/sshd/common/kex/extension/DefaultClientKexExtensionHandler.java
##########
@@ -52,247 +43,111 @@
* session by adding the <A
HREF="https://tools.ietf.org/html/rfc8332";>"rsa-sha2-256/512"</A>
signature
* factories (if not already added).
*
- * <B>Note:</B> experimental - used for development purposes and as an example
- *
* @author <a href="mailto:[email protected]";>Apache MINA SSHD Project</a>
*/
public class DefaultClientKexExtensionHandler extends AbstractLoggingBean
implements KexExtensionHandler {
- /**
- * Session {@link AttributeKey} used to store the client's proposal
- */
- public static final AttributeKey<Map<KexProposalOption, String>>
CLIENT_PROPOSAL_KEY = new AttributeKey<>();
+
+ /** Default singleton instance. */
+ public static final DefaultClientKexExtensionHandler INSTANCE = new
DefaultClientKexExtensionHandler();
/**
- * Session {@link AttributeKey} used to store the server's proposal
+ * Session {@link AttributeKey} used to store whether the extension
indicator was already sent.
*/
- public static final AttributeKey<Map<KexProposalOption, String>>
SERVER_PROPOSAL_KEY = new AttributeKey<>();
-
- public static final NavigableSet<String> DEFAULT_EXTRA_SIGNATURES =
Collections.unmodifiableNavigableSet(
- GenericUtils.asSortedSet(String.CASE_INSENSITIVE_ORDER,
- KeyUtils.RSA_SHA256_KEY_TYPE_ALIAS,
- KeyUtils.RSA_SHA512_KEY_TYPE_ALIAS));
-
- public static final DefaultClientKexExtensionHandler INSTANCE = new
DefaultClientKexExtensionHandler();
+ private static final AttributeKey<Boolean> CLIENT_PROPOSAL_MADE = new
AttributeKey<>();
Review comment:
>> I'm waiting for the organizational invite
Note that the _master_ I am speaking about is not the _github_ one but
rather the ASF one. Github is only a **mirror** of the ASF one - we never push
to github...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 570613)
Time Spent: 1h 50m (was: 1h 40m)
> Implement server-sig-algs
> -------------------------
>
> Key: SSHD-1141
> URL: https://issues.apache.org/jira/browse/SSHD-1141
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Ian Wienand
> Priority: Major
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per
> RFC8332
> {quote}When authenticating with an RSA key against a server that does not
> implement the "server-sig-algs" extension, clients MAY default to an
> "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to
> disallow insecure algorithms such as ssh-rsa. They thus can not find a
> suitable signature algorithm and fail to log in. Quite a high level of
> knowledge is required to override the default system cryptography policy, and
> it can be quite confusing because the user's ssh-key works in many other
> contexts (against openssh servers, etc.). For full details see discussion in
> SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info:
> server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms,
> but because they aren't reported the client won't use them.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
