[
https://issues.apache.org/jira/browse/SSHD-1216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17435233#comment-17435233
]
Thomas Wolf commented on SSHD-1216:
-----------------------------------
Hi [~lucamilanesio] !
As mentioned above, it all can be done today already in client code. Just do
what I did in commit : implement a
[KexExtensionHandler|https://github.com/apache/mina-sshd/commit/2e5cf6f354a3005604f6754921a4f95c47adb81b#diff-3b54002a607b4d20a231a25b8f533317520b89114d308f75195c1ff9a959b123]
and register it. Gerrit doesn't really depend on a new release to get this.
(Gerrit might depend on it for getting the fix for SSHD-1197, which is related
to *Gerrit [bug
12758|https://bugs.chromium.org/p/gerrit/issues/detail?id=12758]*.)
{quote}
Any idea of when the v2.7.1 will be released?
{quote}
2.7.1 is just the moniker this project uses for "current master". I suppose the
next actually released version will be *2.8.0*. I don't know when that will
happen. [~gnodet], what's the plan?
{quote}
It would be great to have the fix included in the next forthcoming Gerrit v3.5
which is due by end of November.
{quote}
Luca, as you know very well, using 2.8.0 in Gerrit is not a piece of cake
because this Apache MINA sshd project unfortunately breaks API between minor
releases regularly. So, in addition to the normal Apache release process this
means
# JGit has to be adapted to 2.8.0. Most likely that'll be done by yours truly,
but David can do it, too.
# Gerrit code has to be adapted to 2.8.0. Typically David does that; I cannot.
# Apache MINA sshd stages a release candidate repo
## JGit builds runs its test suite with this release candidate.
## Gerrit builds and runs its test suite with this release candidate.
## If either uncovers serious problems, report problems (-1 the release), once
fixed back to (3) or possibly even back to (1)
## Other people or downstream projects might do the same; if they discover
serious problems, fix and back to (3) or possibly even back to (1)
# Apache MINA sshd publishes release to Maven Central
# JGit & Gerrit consume it from there
Actually, I think I should start with (1) already, so that David can do (2), so
that the Gerrit project can run the Gerrit tests when Apache MINA sshd stages a
release candidate for 2.8.0. (I've taken the habit of running the JGit tests
before Apache MINA releases, and asking David to do the same for Gerrit -- we
need to catch regressions before Apache MINA sshd releases.)
At least Gerrit builds JGit itself and doesn't depend anymore on the JGit
release schedule, which is tied to the Eclipse quarterly releases. For JGit,
there's more to be done; we have to get Apache MINA sshd 2.8.0 into Eclipse
Orbit before JGit can officially consume it. Getting it into Orbit involves
getting approval from the Eclipse legal team, which may take time.
JGit's next release will be 6.0 on December 8, 2021. The JGit release itself
has to be ready at least a week earlier, so also end of November. Not sure we
can get all these steps done in that time frame.
> Implement RFC 8332 server-sig-algs on the server
> ------------------------------------------------
>
> Key: SSHD-1216
> URL: https://issues.apache.org/jira/browse/SSHD-1216
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Ben Humphreys
> Assignee: Thomas Wolf
> Priority: Major
> Fix For: 2.7.1
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> In the recently released [OpenSSH
> 8.8|https://www.openssh.com/txt/release-8.8] for RSA keys the public key
> signature algorithm that depends on SHA-1 has been disabled by default:
> {quote}This release disables RSA signatures using the SHA-1 hash algorithm
> 2by default. This change has been made as the SHA-1 hash algorithm is
> cryptographically broken, and it is possible to create chosen-prefix 4hash
> collisions for <USD$50K [1]
> {quote}
> As a result OpenSSH 8.8 clients are unable to authenticate with Mina SSHD
> servers with RSA based keys (it is however possible to reenable ssh-rsa).
> OpenSSH since 7.2 does however support RFC 8332 RSA/SHA-256/512 signatures,
> indeed the release notes go on to say:
> {quote}
> For most users, this change should be invisible and there is no need to
> replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512
> signatures since release 7.2 and existing ssh-rsa keys will automatically use
> the stronger algorithm where possible.
> {quote}
> It appears Mina SSHD partly implements support for RFC 8332, indeed the
> client code appears to support it (see SSHD-1141). However the server appears
> to lack full support because it doesn't full implement the"server-sig-algs"
> extension.
> The basic framework for supporting this seems to be present, specifically
> {{AbstractKexFactoryManager.setKexExtensionHandler()}} could perhaps permit
> such a "server-sig-algs" extension.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
