[
https://issues.apache.org/jira/browse/SSHD-1259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Klaus Nguetsa updated SSHD-1259:
--------------------------------
Description:
Hello everyone,
Assuming I have the following known_hosts file containing twice the public key
of the same host but with different algorithms.:
{code:java}
lserver1 ssh-dss
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#
lserver1 ecdsa-sha2-nistp256
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{code}
During the connection when I use DefaultKnownHostsServerKeyVerifier to verify
the keys, if the target host presents a ecdsa-sha2-nistp256 key, the
verification will fail because DefaultKnownHostsServerKeyVerifier seems to
match to the first occurence of the hostname in the know_host file. Therefore
It will match the key _lserver1 ssh-dss XXXXXXXXXXXX..._ and the comparison to
the same key but with ecdsa-sha2-nistp256 algorithm presented by the target
host will fail. Shouldn't it iterate through the file until the right
combination (hostname, algorithm) is found? This way it could check with
lserver1 ecdsa-sha2-nistp256 XXXX..... instead of lserver1 ssh-dss XXXXX......
This works fine with openssh.
Thanks
was:
Hello everyone,
Assuming I have the following know_hosts file containing twice the public key
of the same host but with different algorithms.:
{code:java}
lserver1 ssh-dss
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#
lserver1 ecdsa-sha2-nistp256
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{code}
During the connection when I use DefaultKnownHostsServerKeyVerifier to verify
the keys, if the target host presents a ecdsa-sha2-nistp256 key, the
verification will fail because DefaultKnownHostsServerKeyVerifier seems to
match to the first occurence of the hostname in the know_host file. Therefore
It will match the key _lserver1 ssh-dss XXXXXXXXXXXX..._ and the comparison to
the same key but with ecdsa-sha2-nistp256 algorithm presented by the target
host will fail. Shouldn't it iterate through the file until the right
combination (hostname, algorithm) is found? This way it could check with
lserver1 ecdsa-sha2-nistp256 XXXX..... instead of lserver1 ssh-dss XXXXX......
This works fine with openssh.
Thanks
> DefaultKnownHostsServerKeyVerifier not checking all Key algorithms
> ------------------------------------------------------------------
>
> Key: SSHD-1259
> URL: https://issues.apache.org/jira/browse/SSHD-1259
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.8.0
> Reporter: Klaus Nguetsa
> Priority: Major
>
> Hello everyone,
> Assuming I have the following known_hosts file containing twice the public
> key of the same host but with different algorithms.:
>
> {code:java}
> lserver1 ssh-dss
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> #
> lserver1 ecdsa-sha2-nistp256
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{code}
>
>
> During the connection when I use DefaultKnownHostsServerKeyVerifier to
> verify the keys, if the target host presents a ecdsa-sha2-nistp256 key, the
> verification will fail because DefaultKnownHostsServerKeyVerifier seems to
> match to the first occurence of the hostname in the know_host file. Therefore
> It will match the key _lserver1 ssh-dss XXXXXXXXXXXX..._ and the comparison
> to the same key but with ecdsa-sha2-nistp256 algorithm presented by the
> target host will fail. Shouldn't it iterate through the file until the right
> combination (hostname, algorithm) is found? This way it could check with
> lserver1 ecdsa-sha2-nistp256 XXXX..... instead of lserver1 ssh-dss XXXXX......
> This works fine with openssh.
> Thanks
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
