[I] Why add "key-strict-c-v00@openssh.com" and "key-strict-s-v00@openssh.com" in key Algorithms? [mina-sshd]

Fri, 07 Jun 2024 01:33:47 -0700 


zhyde2010 opened a new issue, #514:
URL: https://github.com/apache/mina-sshd/issues/514

   ### Version
   
   2.10.0
   
   ### Bug description
   
   We use this software. We have high requirements on algorithm security and 
specially adjust the algorithm. Actually, we find that 
"key-strict-c-...@openssh.com is added after the selected algorithm by default. 
We think we've developed the algorithm, so we don't want to add it to us.
   
   ### Actual behavior
   
   No matter how we set the key exchange algorithm, 
key-strict-c-...@openssh.com is appended at the end.
   
   ### Expected behavior
   
   Do not automatically add key-strict-c-...@openssh.com, or set the algorithm 
to the user's choice whether to add key-strict-c-...@openssh.com.
   
   ### Relevant log output
   
   ```Shell
   mina-sshd/sshd-common/src/main/java/org/apache/sshd/common/kex/extension
   /KexExtensions.java:    
   public static final String STRICT_KEX_CLIENT_EXTENSION = 
"kex-strict-c-...@openssh.com";
       public static final String STRICT_KEX_SERVER_EXTENSION = 
"kex-strict-s-...@openssh.com";
   
   
sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java
       @Override
       protected String resolveSessionKexProposal(String hostKeyTypes) throws 
IOException {
           String proposal = super.resolveSessionKexProposal(hostKeyTypes);
           // see https://tools.ietf.org/html/rfc8308
           KexExtensionHandler extHandler = getKexExtensionHandler();
           if ((extHandler == null) || 
(!extHandler.isKexExtensionsAvailable(this, AvailabilityPhase.PROPOSAL))) {
               return proposal;
           }
   
           String extType = isServerSession() ? 
KexExtensions.SERVER_KEX_EXTENSION : KexExtensions.CLIENT_KEX_EXTENSION;
           if (GenericUtils.isEmpty(proposal)) {
               return extType;
           } else {
               return proposal + "," + extType;
           }
   ```
   
   
   ### Other information
   
   NA


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to