[jira] [Created] (SSHD-1331) SSH Algorithm negotiation

Thu, 22 Jun 2023 04:54:07 -0700 

Pavel Pohner created SSHD-1331:
----------------------------------

             Summary: SSH Algorithm negotiation 
                 Key: SSHD-1331
                 URL: https://issues.apache.org/jira/browse/SSHD-1331
             Project: MINA SSHD
          Issue Type: Question
    Affects Versions: 2.9.2
            Reporter: Pavel Pohner


Hello,

I'm facing a weird issue with SSH signature algorithm negotiation:

Signature algorithms for RSA are sorted like this in my implementation:

 
{code:java}
List<BuiltinSignatures> RSA_SIGNATURES = List.of(
      BuiltinSignatures.rsa,
      BuiltinSignatures.rsaSHA512_cert,
      BuiltinSignatures.rsaSHA256_cert,
      BuiltinSignatures.rsaSHA512,
      BuiltinSignatures.rsaSHA256 {code}
when establishing connection with server that offers following lists of 
algorithms, the connection is established without any issue:

 

 
{code:java}
ssh-rsa
rsa-sha2-512
rsa-sha2-256 {code}
but, when server with list of algorithms in following order is encountered:
{code:java}
rsa-sha2-512
rsa-sha2-256
ssh-rsa {code}
the connection fails with following exception:  *KeyExchange signature 
verification failed for key type=ssh-rsa*

Based on SSH RFC my current understanding is, that in the second scenario, 
algorithm guessing happens, where my implementation (client), guesses the 
*ssh-rsa* algorithm, meanwhile the server guesses the {*}rsa-sha2-512{*}, in 
that case the guess is not successful and there's defined algorithm that must 
be followed (basically, client iterating over the common list of algorithms 
until finding the correct match) - 
[https://datatracker.ietf.org/doc/html/rfc4253#section-7.1]

This seems to not be the case though as the exception says that the signature 
verification failed for *ssh-rsa,* I would expect the implementation to iterate 
to the {*}{*}{*}rsa-sha2-512{*} and match the server's guessed algorithm.


How is this handled in Mina SSHD implementation? Is this something I can 
override/handle in my own implementation? Can someone point me in the right 
direction please?

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to