[ https://issues.apache.org/jira/browse/SSHD-1216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17429500#comment-17429500 ]
Thomas Wolf commented on SSHD-1216: ----------------------------------- See [PR 204|https://github.com/apache/mina-sshd/pull/204]. > Implement RFC 8332 server-sig-algs on the server > ------------------------------------------------ > > Key: SSHD-1216 > URL: https://issues.apache.org/jira/browse/SSHD-1216 > Project: MINA SSHD > Issue Type: Improvement > Reporter: Ben Humphreys > Assignee: Thomas Wolf > Priority: Major > > In the recently released [OpenSSH > 8.8|https://www.openssh.com/txt/release-8.8] for RSA keys the public key > signature algorithm that depends on SHA-1 has been disabled by default: > {quote}This release disables RSA signatures using the SHA-1 hash algorithm > 2by default. This change has been made as the SHA-1 hash algorithm is > cryptographically broken, and it is possible to create chosen-prefix 4hash > collisions for <USD$50K [1] > {quote} > As a result OpenSSH 8.8 clients are unable to authenticate with Mina SSHD > servers with RSA based keys (it is however possible to reenable ssh-rsa). > OpenSSH since 7.2 does however support RFC 8332 RSA/SHA-256/512 signatures, > indeed the release notes go on to say: > {quote} > For most users, this change should be invisible and there is no need to > replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 > signatures since release 7.2 and existing ssh-rsa keys will automatically use > the stronger algorithm where possible. > {quote} > It appears Mina SSHD partly implements support for RFC 8332, indeed the > client code appears to support it (see SSHD-1141). However the server appears > to lack full support because it doesn't full implement the"server-sig-algs" > extension. > The basic framework for supporting this seems to be present, specifically > {{AbstractKexFactoryManager.setKexExtensionHandler()}} could perhaps permit > such a "server-sig-algs" extension. > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org