[
https://issues.apache.org/jira/browse/SSHD-1259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Wolf updated SSHD-1259:
------------------------------
Fix Version/s: 2.11.0
> DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in
> known_hosts
> -----------------------------------------------------------------------------------------
>
> Key: SSHD-1259
> URL: https://issues.apache.org/jira/browse/SSHD-1259
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.8.0
> Reporter: Klaus Nguetsa
> Priority: Major
> Fix For: 2.10.1, 2.11.0
>
>
> Hello everyone,
> Assuming I have the following known_hosts file containing twice the public
> key of the same host but with different algorithms.:
>
> {code:java}
> lserver1 ssh-dss
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> #
> lserver1 ecdsa-sha2-nistp256
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{code}
>
>
> During the connection when I use DefaultKnownHostsServerKeyVerifier to
> verify the keys, if the target host presents a ecdsa-sha2-nistp256 key, the
> verification will fail because DefaultKnownHostsServerKeyVerifier seems to
> match to the first occurence of the hostname in the know_host file. Therefore
> It will match the key _lserver1 ssh-dss XXXXXXXXXXXX..._ and the comparison
> to the same key but with ecdsa-sha2-nistp256 algorithm presented by the
> target host will fail. Shouldn't it iterate through the file until the right
> combination (hostname, algorithm) is found? This way it could check with
> lserver1 ecdsa-sha2-nistp256 XXXX..... instead of lserver1 ssh-dss XXXXX......
> This works fine with openssh.
> Thanks
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
