[GitHub] [mina-sshd] FliegenKLATSCH edited a comment on issue #119: Add support for openssh host key certificates
FliegenKLATSCH edited a comment on issue #119: Add support for openssh host key certificates URL: https://github.com/apache/mina-sshd/pull/119#issuecomment-615926894 Please note commit https://github.com/apache/mina-sshd/pull/119/commits/a8cdbdec3fe6c7c3e248ec1854b4f0adc27c5863 This relates to [SSHD-895](https://issues.apache.org/jira/browse/SSHD-895), if client and server negotiated e.g. rsa-sha512 the signature verification would fail with ssh-rsa retrieved from `KeyUtils.getKeyType`. If all is fine now for your, should be ready to merge from my side. Many thanks for your fast reviews! I really appreciate this. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[GitHub] [mina-sshd] FliegenKLATSCH edited a comment on issue #119: Add support for openssh host key certificates
FliegenKLATSCH edited a comment on issue #119: Add support for openssh host key certificates URL: https://github.com/apache/mina-sshd/pull/119#issuecomment-615926894 Please note commit https://github.com/apache/mina-sshd/pull/119/commits/a8cdbdec3fe6c7c3e248ec1854b4f0adc27c5863 This relates to [SSHD-895](https://issues.apache.org/jira/browse/SSHD-895), if client and server negotiated e.g. rsa-sha512 the signature verification would fail with ssh-rsa retrieved from `KeyUtils.getKeyType`. If all is fine now for you, should be ready to merge from my side. Many thanks for your fast reviews! I really appreciate this. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[GitHub] [mina-sshd] FliegenKLATSCH edited a comment on issue #119: Add support for openssh host key certificates
FliegenKLATSCH edited a comment on issue #119: Add support for openssh host key certificates URL: https://github.com/apache/mina-sshd/pull/119#issuecomment-615926894 Please note commit https://github.com/apache/mina-sshd/pull/119/commits/a8cdbdec3fe6c7c3e248ec1854b4f0adc27c5863 This relates to [SSHD-895](https://issues.apache.org/jira/browse/SSHD-895), if client and server negotiated e.g. rsa-sha512 the signature verification would fail with ssh-rsa retrieved from `KeyUtils.getKeyType`. If all is fine now for your ,should be ready to merge from my side. Many thanks for your fast reviews! I really appreciate this. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[GitHub] [mina-sshd] FliegenKLATSCH commented on issue #119: Add support for openssh host key certificates
FliegenKLATSCH commented on issue #119: Add support for openssh host key certificates URL: https://github.com/apache/mina-sshd/pull/119#issuecomment-615926894 Please note commit https://github.com/apache/mina-sshd/pull/119/commits/a8cdbdec3fe6c7c3e248ec1854b4f0adc27c5863 This relates to [SSHD-895](https://issues.apache.org/jira/browse/SSHD-895), if client and server negotiated e.g. rsa-sha512 the signature verification would fail with ssh-rsa retrieved from `KeyUtils.getKeyType`. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Created] (SSHD-981) Implement no-flow-control SFTP extension
Guillaume Nodet created SSHD-981: Summary: Implement no-flow-control SFTP extension Key: SSHD-981 URL: https://issues.apache.org/jira/browse/SSHD-981 Project: MINA SSHD Issue Type: Improvement Reporter: Guillaume Nodet Assignee: Guillaume Nodet Fix For: 2.4.1 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Created] (SSHD-980) Make the SFTP Api cleaner by moving the implementation classes into the non public package
Guillaume Nodet created SSHD-980: Summary: Make the SFTP Api cleaner by moving the implementation classes into the non public package Key: SSHD-980 URL: https://issues.apache.org/jira/browse/SSHD-980 Project: MINA SSHD Issue Type: Improvement Reporter: Guillaume Nodet Assignee: Guillaume Nodet Fix For: 2.4.1 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Created] (SSHD-979) Rework SFTP streams so that we can send or receive as much data as possible
Guillaume Nodet created SSHD-979: Summary: Rework SFTP streams so that we can send or receive as much data as possible Key: SSHD-979 URL: https://issues.apache.org/jira/browse/SSHD-979 Project: MINA SSHD Issue Type: Improvement Reporter: Guillaume Nodet Assignee: Guillaume Nodet Fix For: 2.4.1 The streams use a synchronous InputStream or OutputStream on the channel which blocks for the server response whenever flush is called. This cause a huge drop of the transfer rate compared to other SFTP implementations. This work is sponsored by Buddy [https://buddy.works/] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-978) Autoformat source code instead of using checkstyle
[ https://issues.apache.org/jira/browse/SSHD-978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17086504#comment-17086504 ] Lyor Goldstein commented on SSHD-978: - Can you provide some more information on this issue ? I am not sure it is feasible - my main concern is how this would work in coordination with the IDE(s) (let's say Eclipse and Intellij). > Autoformat source code instead of using checkstyle > -- > > Key: SSHD-978 > URL: https://issues.apache.org/jira/browse/SSHD-978 > Project: MINA SSHD > Issue Type: Task >Reporter: Guillaume Nodet >Assignee: Guillaume Nodet >Priority: Major > Fix For: 2.4.1 > > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Comment Edited] (SSHD-895) Add support for RSA + SHA-256/512 signatures
[
https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17086503#comment-17086503
]
Lyor Goldstein edited comment on SSHD-895 at 4/18/20, 3:39 PM:
---
The comment simply says that there are servers that refuse to authenticate if
the public key algorithms listed by the clients are not supported by the
server. In other words, even if eventually the negotiated algorithm would be
{{ssh-rsa}} some servers refuse to authenticate if the client lists algorithms
they do not support. It contradicts SSH protocol behavior of course, but we
want the default settings of MINA SSHD to provide the widest possible support -
which means the most common "denominator".
was (Author: lgoldstein):
The comment simply says that there are servers that refuse to authenticate if
the public key algorithms listed by the clients are not supported by the
server. In other words, even if eventually the negotiated algorithm would be
`ssh-rsa` some servers refuse to authenticate if the client lists algorithms
they do not support. It contradicts SSH protocol behavior of course, but we
want the default settings of MINA SSHD to provide the widest possible support -
which means the most common "denominator".
> Add support for RSA + SHA-256/512 signatures
>
>
> Key: SSHD-895
> URL: https://issues.apache.org/jira/browse/SSHD-895
> Project: MINA SSHD
> Issue Type: Improvement
>Affects Versions: 2.3.0
>Reporter: Lyor Goldstein
>Assignee: Lyor Goldstein
>Priority: Major
> Fix For: 2.3.0
>
>
> See https://tools.ietf.org/html/rfc8332 - *Note:*
> {quote}
> Servers that accept rsa-sha2-* signatures for client authentication
> SHOULD implement the extension negotiation mechanism defined in
> [RFC8308], including especially the "server-sig-algs" extension.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures
[
https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17086503#comment-17086503
]
Lyor Goldstein commented on SSHD-895:
-
The comment simply says that there are servers that refuse to authenticate if
the public key algorithms listed by the clients are not supported by the
server. In other words, even if eventually the negotiated algorithm would be
`ssh-rsa` some servers refuse to authenticate if the client lists algorithms
they do not support. It contradicts SSH protocol behavior of course, but we
want the default settings of MINA SSHD to provide the widest possible support -
which means the most common "denominator".
> Add support for RSA + SHA-256/512 signatures
>
>
> Key: SSHD-895
> URL: https://issues.apache.org/jira/browse/SSHD-895
> Project: MINA SSHD
> Issue Type: Improvement
>Affects Versions: 2.3.0
>Reporter: Lyor Goldstein
>Assignee: Lyor Goldstein
>Priority: Major
> Fix For: 2.3.0
>
>
> See https://tools.ietf.org/html/rfc8332 - *Note:*
> {quote}
> Servers that accept rsa-sha2-* signatures for client authentication
> SHOULD implement the extension negotiation mechanism defined in
> [RFC8308], including especially the "server-sig-algs" extension.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures
[
https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17086449#comment-17086449
]
FliegenKLATSCH commented on SSHD-895:
-
I don't understand the reason for not enabling rsaSHA512 and rsaSHA256 per
default. Could you enlighten me?
Does the comment
{code:java}
Implementation experience has shown that there are servers that apply
authentication penalties to clients attempting public key algorithms
that the SSH server does not support.{code}
apply, if we first negotiate the algorithm with the server?
I understand it the way that there are penalties if the client just tries an
algorithm which was not negotiated?
And I am not sure if the client would try a sha2 variant if the negotiated
algorithm is `ssh-rsa`?
> Add support for RSA + SHA-256/512 signatures
>
>
> Key: SSHD-895
> URL: https://issues.apache.org/jira/browse/SSHD-895
> Project: MINA SSHD
> Issue Type: Improvement
>Affects Versions: 2.3.0
>Reporter: Lyor Goldstein
>Assignee: Lyor Goldstein
>Priority: Major
> Fix For: 2.3.0
>
>
> See https://tools.ietf.org/html/rfc8332 - *Note:*
> {quote}
> Servers that accept rsa-sha2-* signatures for client authentication
> SHOULD implement the extension negotiation mechanism defined in
> [RFC8308], including especially the "server-sig-algs" extension.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Created] (SSHD-978) Autoformat source code instead of using checkstyle
Guillaume Nodet created SSHD-978: Summary: Autoformat source code instead of using checkstyle Key: SSHD-978 URL: https://issues.apache.org/jira/browse/SSHD-978 Project: MINA SSHD Issue Type: Task Reporter: Guillaume Nodet Assignee: Guillaume Nodet Fix For: 2.4.1 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[GitHub] [mina-sshd] lgoldstein commented on issue #119: Add support for openssh host key certificates
lgoldstein commented on issue #119: Add support for openssh host key certificates URL: https://github.com/apache/mina-sshd/pull/119#issuecomment-615619181 >> OpenSSH actually does a fallback to the plain host key, maybe we should do the same instead of aborting the connection if the certificate is invalid. Makes especially sense if the certificate is expired, you still want to be able to connect.. I can live with that - just a suggestion - you can make the behavior configurable via a property that you can retrieve from the session (default can be whatever you decide). >> I am currently on the unit tests, having some issues with RSA key mismatch exception... 512 vs 256 .. need to investigate further... Great - will wait for you to let me know when you feel the code is ready for more review and merging. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
