tomaswolf commented on issue #531: URL: https://github.com/apache/mina-sshd/issues/531#issuecomment-2233155209
Actually, I remember now that we ran into this long ago in JGit already. The approach taken there was simply "if you need to connect with RSA keys to legacy servers that don't support rsa-sha2*, then define "ssh-rsa" explicitly as signature algorithm to be used for connections to that server". Plus JGit implemented the SSH config [PubkeyAcceptedAlgorithms](https://man.openbsd.org/ssh_config#PubkeyAcceptedAlgorithms) to make easy for users to do so. That's perhaps an even better approach. Using the negotiated host key signature type would only work if the host key was also an RSA key. In other words: everything works as designed; configure "ssh-rsa" explicitly to connect to such legacy servers. Another approach is not to take advantage of the quoted permission from RFC8332 and _always_ fall back to the unsafe "ssh-rsa" unless the server sent a "server-sig-algs" extension message with the rsa-sha2* signatures mentioned. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
