[jira] [Commented] (SSHD-1141) Implement server-sig-algs

Mon, 20 Dec 2021 00:51:08 -0800 


    [ 
https://issues.apache.org/jira/browse/SSHD-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462467#comment-17462467
 ] 

Thomas Wolf commented on SSHD-1141:
-----------------------------------

{quote}I've reported this at Github Support; they've acknowledged it's a bug in 
their SSH, and they'll fix it.{quote}

This appears to be fixed on the Github side as of SSH-2.0-babeld-17a926d7.

> Implement server-sig-algs
> -------------------------
>
>                 Key: SSHD-1141
>                 URL: https://issues.apache.org/jira/browse/SSHD-1141
>             Project: MINA SSHD
>          Issue Type: Improvement
>            Reporter: Ian Wienand
>            Assignee: Thomas Wolf
>            Priority: Major
>             Fix For: 2.7.0
>
>          Time Spent: 5h
>  Remaining Estimate: 0h
>
> Mina sshd should implement server-sig-algs to report signature algorithms.
> Without the daemon sending server-sig-algs, clients fall back to ssh-rsa per 
> RFC8332
> {quote}When authenticating with an RSA key against a server that does not 
> implement the "server-sig-algs" extension, clients MAY default to an 
> "ssh-rsa" signature to avoid authentication penalties.
> {quote}
> Some distributions, notably Fedora 33, have set default system policy to 
> disallow insecure algorithms such as ssh-rsa.  They thus can not find a 
> suitable signature algorithm and fail to log in.  Quite a high level of 
> knowledge is required to override the default system cryptography policy, and 
> it can be quite confusing because the user's ssh-key works in many other 
> contexts (against openssh servers, etc.).  For full details see discussion in 
> SSHD-1118.
> For example, connecting to a recent openssh server I see something like
> {quote}debug1: kex_input_ext_info: 
> server-sig-algs=<ssh-ed25519,sk-ssh-ed25...@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com>
> {quote}
> I believe that Mina SSHD does support these more secure signature algorithms, 
> but because they aren't reported the client won't use them.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to