Ben Humphreys created SSHD-1216: ----------------------------------- Summary: Implement RFC 8332 server-sig-algs on the server Key: SSHD-1216 URL: https://issues.apache.org/jira/browse/SSHD-1216 Project: MINA SSHD Issue Type: Improvement Reporter: Ben Humphreys
In the recently released OpenSSH 8.8 "ssh-rsa" the public key signature algorithm that depends on SHA-1 has been disabled by default: {quote} This release disables RSA signatures using the SHA-1 hash algorithm 2by default. This change has been made as the SHA-1 hash algorithm is 3cryptographically broken, and it is possible to create chosen-prefix 4hash collisions for <USD$50K [1] {quote} As a result OpenSSH 8.8 clients are unable to authenticate with Mina SSHD servers with RSA based keys. OpenSSH since 7.2 does however support RFC 8332 RSA/SHA-256/512 signatures. It appears Mina SSHD partly implements support for RFC 8332, indeed the client appears to support it (see SSHD-1141). However the server appears to lack full support because it doesn't full implement the"server-sig-algs" extension. The basic framework for supporting this seems to be present, specifically `AbstractKexFactoryManager.setKexExtensionHandler()` could perhaps permit such aserver-sig-algs extension. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org