Enhancements to IoBufferHexDumper
I'm adding some additional methods to IoBufferHexDumper to produce pretty hex dumps for debugging purposes. Possible options to expose the new methods: 1. Making IoBufferHexDumper class public instead of package local 2. Add another public method to IoBuffer (e.g. IoBuffer#getPrettyHexDump() or #getVerboseHexDump() 3. Overload IoBuffer#getHexDump() to include "boolean pretty" to enable pretty dumps. Anyone have any opinions?
[jira] [Work logged] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?focusedWorklogId=483574&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-483574 ] ASF GitHub Bot logged work on SSHD-1053: Author: ASF GitHub Bot Created on: 12/Sep/20 22:06 Start Date: 12/Sep/20 22:06 Worklog Time Spent: 10m Work Description: FliegenKLATSCH closed pull request #164: URL: https://github.com/apache/mina-sshd/pull/164 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 483574) Time Spent: 3h 40m (was: 3.5h) > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > -- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 2.5.1 >Reporter: Feng Jiajie >Assignee: Lyor Goldstein >Priority: Major > Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub > > Time Spent: 3h 40m > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: MACs stoc: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: compression ctos: none,zlib,z...@openssh.com > debug2: compression stoc: none,zlib,z...@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: ecdh-sha2-nistp256 > debug1: kex: host key algorithm: rsa-sha2-512-cert-...@openssh.com > debug1: kex: server->client cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host certificate: ssh-rsa-cert-...@openssh.com > SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" > CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from > 2020-08-14T12:48:45 to 2030-08-12T12:53:45 > debug2: Server host certificate hostname: 127.0.0.1 > debug2: Server host certificate hostname: localhost > debug3: put_host_port: [127.0.0.1]:12133 > debug3: put_host_port: [127.0.0.1]:12133 > debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts" > debug3: record_hostkey: found ca key type RSA in file > /home/work/.ssh/known_hosts:34 > debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133 > debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host > certificate. > debug1: Found CA key in /home/work/.ssh/known_hosts:34 > okok rsa-sha2-512-cert-...@openssh.com > ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not > match > {code} > After debugging the OpenSSH client, we found that the problem was that: > [https://github.com/openssh/open
[GitHub] [mina-sshd] FliegenKLATSCH closed pull request #164: [SSHD-1053] Fix signature string for openssh certificate host key algorithms
FliegenKLATSCH closed pull request #164: URL: https://github.com/apache/mina-sshd/pull/164 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[GitHub] [mina-sshd] lgoldstein commented on a change in pull request #164: [SSHD-1053] Fix signature string for openssh certificate host key algorithms
lgoldstein commented on a change in pull request #164: URL: https://github.com/apache/mina-sshd/pull/164#discussion_r486801409 ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Work logged] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?focusedWorklogId=483562&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-483562 ] ASF GitHub Bot logged work on SSHD-1053: Author: ASF GitHub Bot Created on: 12/Sep/20 22:05 Start Date: 12/Sep/20 22:05 Worklog Time Spent: 10m Work Description: lgoldstein commented on a change in pull request #164: URL: https://github.com/apache/mina-sshd/pull/164#discussion_r486801409 ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 483562) Time Spent: 3.5h (was: 3h 20m) > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > -- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 2.5.1 >Reporter: Feng Jiajie >Assignee: Lyor Goldstein >Priority: Major > Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub > > Time Spent: 3.5h > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2
[jira] [Work logged] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?focusedWorklogId=483210&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-483210 ] ASF GitHub Bot logged work on SSHD-1053: Author: ASF GitHub Bot Created on: 12/Sep/20 21:32 Start Date: 12/Sep/20 21:32 Worklog Time Spent: 10m Work Description: lgoldstein commented on pull request #164: URL: https://github.com/apache/mina-sshd/pull/164#issuecomment-690908807 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 483210) Time Spent: 3h 20m (was: 3h 10m) > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > -- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 2.5.1 >Reporter: Feng Jiajie >Assignee: Lyor Goldstein >Priority: Major > Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub > > Time Spent: 3h 20m > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: MACs stoc: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: compression ctos: none,zlib,z...@openssh.com > debug2: compression stoc: none,zlib,z...@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: ecdh-sha2-nistp256 > debug1: kex: host key algorithm: rsa-sha2-512-cert-...@openssh.com > debug1: kex: server->client cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host certificate: ssh-rsa-cert-...@openssh.com > SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" > CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from > 2020-08-14T12:48:45 to 2030-08-12T12:53:45 > debug2: Server host certificate hostname: 127.0.0.1 > debug2: Server host certificate hostname: localhost > debug3: put_host_port: [127.0.0.1]:12133 > debug3: put_host_port: [127.0.0.1]:12133 > debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts" > debug3: record_hostkey: found ca key type RSA in file > /home/work/.ssh/known_hosts:34 > debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133 > debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host > certificate. > debug1: Found CA key in /home/work/.ssh/known_hosts:34 > okok rsa-sha2-512-cert-...@openssh.com > ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not > match > {code} > After debugging the OpenSSH client, we found that the problem was that: > [http
[GitHub] [mina-sshd] lgoldstein commented on pull request #164: [SSHD-1053] Fix signature string for openssh certificate host key algorithms
lgoldstein commented on pull request #164: URL: https://github.com/apache/mina-sshd/pull/164#issuecomment-690908807 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[GitHub] [mina-sshd] FliegenKLATSCH closed pull request #164: [SSHD-1053] Fix signature string for openssh certificate host key algorithms
FliegenKLATSCH closed pull request #164: URL: https://github.com/apache/mina-sshd/pull/164 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Work logged] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?focusedWorklogId=482995&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-482995 ] ASF GitHub Bot logged work on SSHD-1053: Author: ASF GitHub Bot Created on: 12/Sep/20 20:44 Start Date: 12/Sep/20 20:44 Worklog Time Spent: 10m Work Description: FliegenKLATSCH closed pull request #164: URL: https://github.com/apache/mina-sshd/pull/164 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 482995) Time Spent: 3h 10m (was: 3h) > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > -- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 2.5.1 >Reporter: Feng Jiajie >Assignee: Lyor Goldstein >Priority: Major > Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub > > Time Spent: 3h 10m > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: MACs stoc: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: compression ctos: none,zlib,z...@openssh.com > debug2: compression stoc: none,zlib,z...@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: ecdh-sha2-nistp256 > debug1: kex: host key algorithm: rsa-sha2-512-cert-...@openssh.com > debug1: kex: server->client cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host certificate: ssh-rsa-cert-...@openssh.com > SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" > CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from > 2020-08-14T12:48:45 to 2030-08-12T12:53:45 > debug2: Server host certificate hostname: 127.0.0.1 > debug2: Server host certificate hostname: localhost > debug3: put_host_port: [127.0.0.1]:12133 > debug3: put_host_port: [127.0.0.1]:12133 > debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts" > debug3: record_hostkey: found ca key type RSA in file > /home/work/.ssh/known_hosts:34 > debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133 > debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host > certificate. > debug1: Found CA key in /home/work/.ssh/known_hosts:34 > okok rsa-sha2-512-cert-...@openssh.com > ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not > match > {code} > After debugging the OpenSSH client, we found that the problem was that: > [https://github.com/openssh/openss
[jira] [Work logged] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?focusedWorklogId=482981&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-482981 ] ASF GitHub Bot logged work on SSHD-1053: Author: ASF GitHub Bot Created on: 12/Sep/20 20:42 Start Date: 12/Sep/20 20:42 Worklog Time Spent: 10m Work Description: lgoldstein commented on a change in pull request #164: URL: https://github.com/apache/mina-sshd/pull/164#discussion_r486801409 ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 482981) Time Spent: 3h (was: 2h 50m) > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > -- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 2.5.1 >Reporter: Feng Jiajie >Assignee: Lyor Goldstein >Priority: Major > Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub > > Time Spent: 3h > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ci
[GitHub] [mina-sshd] lgoldstein commented on a change in pull request #164: [SSHD-1053] Fix signature string for openssh certificate host key algorithms
lgoldstein commented on a change in pull request #164: URL: https://github.com/apache/mina-sshd/pull/164#discussion_r486801409 ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. ## File path: sshd-common/src/main/java/org/apache/sshd/common/signature/SignatureRSA.java ## @@ -52,8 +52,21 @@ private int verifierSignatureSize = -1; +private final String sshAlgorithmName; + protected SignatureRSA(String algorithm) { +this(algorithm, null); Review comment: Since you are using `ValidateUtils.checkNotNullAndNotEmpty` this constructor is invalid since whoever uses it will get an exception. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Work logged] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?focusedWorklogId=482803&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-482803 ] ASF GitHub Bot logged work on SSHD-1053: Author: ASF GitHub Bot Created on: 12/Sep/20 20:23 Start Date: 12/Sep/20 20:23 Worklog Time Spent: 10m Work Description: lgoldstein commented on pull request #164: URL: https://github.com/apache/mina-sshd/pull/164#issuecomment-690908807 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 482803) Time Spent: 2h 50m (was: 2h 40m) > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > -- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 2.5.1 >Reporter: Feng Jiajie >Assignee: Lyor Goldstein >Priority: Major > Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub > > Time Spent: 2h 50m > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: MACs stoc: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: compression ctos: none,zlib,z...@openssh.com > debug2: compression stoc: none,zlib,z...@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: ecdh-sha2-nistp256 > debug1: kex: host key algorithm: rsa-sha2-512-cert-...@openssh.com > debug1: kex: server->client cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host certificate: ssh-rsa-cert-...@openssh.com > SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" > CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from > 2020-08-14T12:48:45 to 2030-08-12T12:53:45 > debug2: Server host certificate hostname: 127.0.0.1 > debug2: Server host certificate hostname: localhost > debug3: put_host_port: [127.0.0.1]:12133 > debug3: put_host_port: [127.0.0.1]:12133 > debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts" > debug3: record_hostkey: found ca key type RSA in file > /home/work/.ssh/known_hosts:34 > debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133 > debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host > certificate. > debug1: Found CA key in /home/work/.ssh/known_hosts:34 > okok rsa-sha2-512-cert-...@openssh.com > ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not > match > {code} > After debugging the OpenSSH client, we found that the problem was that: > [http
[GitHub] [mina-sshd] lgoldstein commented on pull request #164: [SSHD-1053] Fix signature string for openssh certificate host key algorithms
lgoldstein commented on pull request #164: URL: https://github.com/apache/mina-sshd/pull/164#issuecomment-690908807 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Created] (SSHD-1076) Make creation of the AuthFuture in ClientUserAuthService configurable/overrideable
Thomas Wolf created SSHD-1076: - Summary: Make creation of the AuthFuture in ClientUserAuthService configurable/overrideable Key: SSHD-1076 URL: https://issues.apache.org/jira/browse/SSHD-1076 Project: MINA SSHD Issue Type: New Feature Affects Versions: 2.5.1 Reporter: Thomas Wolf I have a need to have my own {{AuthFuture}} implementation. With the current implementation, the authentication timeout keeps running even while the client is asking the user for input, such as for a passphrase for an encrypted private key. If the user doesn't supply the information quickly enough, the session gets closed behind his back when the timeout expires. So I need an {{AuthFuture}} that I can _pause_ while my client program is requesting user input. I do have that actually, but currently I need to subclass {{ClientUserAuthService}} (because {{AbstractClientSession.getUserAuthService()}} has it as return type) _and_ copy all its code because the creation of the {{AuthFuture}} is hard-coded as {{new DefaultAuthFuture(...)}} in {{ClientUserAuthService.auth()}}. Factoring this out into a separate method {{protected AuthFuture createAuthFuture(String serviceName, Object lock)}} would be one way (then I could override without having to copy all the code), but maybe there is a better way, such as a separately configurable AuthFutureFactory. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17194767#comment-17194767 ] Feng Jiajie commented on SSHD-1053: --- Hi [~lgoldstein], I'll try it next week, thanks! Hi [~FliegenKLATSCH], thanks for your help! > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > -- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 2.5.1 >Reporter: Feng Jiajie >Assignee: Lyor Goldstein >Priority: Major > Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub > > Time Spent: 2h 40m > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: MACs stoc: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: compression ctos: none,zlib,z...@openssh.com > debug2: compression stoc: none,zlib,z...@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: ecdh-sha2-nistp256 > debug1: kex: host key algorithm: rsa-sha2-512-cert-...@openssh.com > debug1: kex: server->client cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host certificate: ssh-rsa-cert-...@openssh.com > SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" > CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from > 2020-08-14T12:48:45 to 2030-08-12T12:53:45 > debug2: Server host certificate hostname: 127.0.0.1 > debug2: Server host certificate hostname: localhost > debug3: put_host_port: [127.0.0.1]:12133 > debug3: put_host_port: [127.0.0.1]:12133 > debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts" > debug3: record_hostkey: found ca key type RSA in file > /home/work/.ssh/known_hosts:34 > debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133 > debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host > certificate. > debug1: Found CA key in /home/work/.ssh/known_hosts:34 > okok rsa-sha2-512-cert-...@openssh.com > ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not > match > {code} > After debugging the OpenSSH client, we found that the problem was that: > [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L270] > line 270: > {code:java} > if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) { > ret = SSH_ERR_KEY_TYPE_MISMATCH; > goto out; > } > {code} > `sigtype` value is "rsa-sha2-512-cert-...@openssh.com" > [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L61] > line 61: > {code:java} > static intrsa_hash_id_from_ident(const char *ident){ > if (strcmp(ident, "ssh-rsa") == 0) > return SSH_DIGEST_SHA1; > if (strcmp(ident, "rsa-sha2-256") == 0) > return SSH_DIGEST_SHA256; > if (strcmp(ident, "rsa-sha2-512") == 0) >
[jira] [Commented] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17194741#comment-17194741 ] Lyor Goldstein commented on SSHD-1053: -- Thanks - that did the trick. [~fengjiajie] - can you try out https://github.com/lgoldstein/mina-sshd/tree/SSHD-1053 and see if fixes the issue ? > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > -- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 2.5.1 >Reporter: Feng Jiajie >Assignee: Lyor Goldstein >Priority: Major > Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub > > Time Spent: 2h 40m > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: MACs stoc: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: compression ctos: none,zlib,z...@openssh.com > debug2: compression stoc: none,zlib,z...@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: ecdh-sha2-nistp256 > debug1: kex: host key algorithm: rsa-sha2-512-cert-...@openssh.com > debug1: kex: server->client cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host certificate: ssh-rsa-cert-...@openssh.com > SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" > CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from > 2020-08-14T12:48:45 to 2030-08-12T12:53:45 > debug2: Server host certificate hostname: 127.0.0.1 > debug2: Server host certificate hostname: localhost > debug3: put_host_port: [127.0.0.1]:12133 > debug3: put_host_port: [127.0.0.1]:12133 > debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts" > debug3: record_hostkey: found ca key type RSA in file > /home/work/.ssh/known_hosts:34 > debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133 > debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host > certificate. > debug1: Found CA key in /home/work/.ssh/known_hosts:34 > okok rsa-sha2-512-cert-...@openssh.com > ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not > match > {code} > After debugging the OpenSSH client, we found that the problem was that: > [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L270] > line 270: > {code:java} > if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) { > ret = SSH_ERR_KEY_TYPE_MISMATCH; > goto out; > } > {code} > `sigtype` value is "rsa-sha2-512-cert-...@openssh.com" > [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L61] > line 61: > {code:java} > static intrsa_hash_id_from_ident(const char *ident){ > if (strcmp(ident, "ssh-rsa") == 0) > return SSH_DIGEST_SHA1; > if (strcmp(ident, "rsa-sha2-256") == 0) > return SSH_DIGE
[jira] [Commented] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17194672#comment-17194672 ] FliegenKLATSCH commented on SSHD-1053: -- I cannot really reproduce, could you try again with these [changes|https://github.com/FliegenKLATSCH/mina-sshd/commit/4eb28d55bfe81ea12e699f6c005c7f26a26dbd21]? Adapted the test to the fact that the default now also contains the _cert signatures. > Got "key type does not match" when use OpenSSH client And Mina SSHD > configured with a host public key cert > -- > > Key: SSHD-1053 > URL: https://issues.apache.org/jira/browse/SSHD-1053 > Project: MINA SSHD > Issue Type: Bug >Affects Versions: 2.5.1 >Reporter: Feng Jiajie >Assignee: Lyor Goldstein >Priority: Major > Attachments: ca, ca.pub, myhost, myhost-cert.pub, myhost.pub > > Time Spent: 2h 40m > Remaining Estimate: 0h > > Hi, > We configured a Mina SSHD and used server certificates: > [https://www.lorier.net/docs/ssh-ca.html] > Mina SSHD: > {code:java} > sshd.setKeyPairProvider(new > BouncyCastleGeneratorHostKeyProvider(Paths.get("/tmp/ser-tunnel"))); > sshd.setHostKeyCertificateProvider(new > FileHostKeyCertificateProvider(Paths.get("/tmp/ser-tunnel-cert.pub"))); > {code} > When using the OpenSSH client (test on v7.9 and v8.3) to connect to the Mina > SSHD server, the client is reporting an error: > {code:java} > debug2: KEX algorithms: > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: host key algorithms: > rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: MACs stoc: > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96 > debug2: compression ctos: none,zlib,z...@openssh.com > debug2: compression stoc: none,zlib,z...@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: ecdh-sha2-nistp256 > debug1: kex: host key algorithm: rsa-sha2-512-cert-...@openssh.com > debug1: kex: server->client cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: > hmac-sha2-256-...@openssh.com compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host certificate: ssh-rsa-cert-...@openssh.com > SHA256:HsNsqFEHMbCzl4wPfEw8TglsG8wxAQshrcq4mjdVvEM, serial 6 ID "ser-server1" > CA ssh-rsa SHA256:uACMfGQyejQ3IH6MmAuNMp2dljdzLJq7nPpmdu9PSEQ valid from > 2020-08-14T12:48:45 to 2030-08-12T12:53:45 > debug2: Server host certificate hostname: 127.0.0.1 > debug2: Server host certificate hostname: localhost > debug3: put_host_port: [127.0.0.1]:12133 > debug3: put_host_port: [127.0.0.1]:12133 > debug3: hostkeys_foreach: reading file "/home/work/.ssh/known_hosts" > debug3: record_hostkey: found ca key type RSA in file > /home/work/.ssh/known_hosts:34 > debug3: load_hostkeys: loaded 1 keys from [127.0.0.1]:12133 > debug1: Host '[127.0.0.1]:12133' is known and matches the RSA-CERT host > certificate. > debug1: Found CA key in /home/work/.ssh/known_hosts:34 > okok rsa-sha2-512-cert-...@openssh.com > ssh_dispatch_run_fatal: Connection to 127.0.0.1 port 12133: key type does not > match > {code} > After debugging the OpenSSH client, we found that the problem was that: > [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L270] > line 270: > {code:java} > if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) { > ret = SSH_ERR_KEY_TYPE_MISMATCH; > goto out; > } > {code} > `sigtype` value is "rsa-sha2-512-cert-...@openssh.com" > [https://github.com/openssh/openssh-portable/blob/V_7_9_P1/ssh-rsa.c#L61] > line 61: > {code:java} > static intrsa_hash_id_from_ident(const char *ident){ > if (strcmp(ident, "ssh-rsa") == 0)
[jira] [Comment Edited] (SSHD-1053) Got "key type does not match" when use OpenSSH client And Mina SSHD configured with a host public key cert
[ https://issues.apache.org/jira/browse/SSHD-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17194346#comment-17194346 ] Lyor Goldstein edited comment on SSHD-1053 at 9/12/20, 7:25 AM: [~FliegenKLATSCH] I am having trouble passing the tests - specifically sshd-mina - please take a look ... - branch is https://github.com/lgoldstein/mina-sshd/tree/SSHD-1053 {noformat} [ERROR] Failures: [ERROR] org.apache.sshd.common.signature.OpenSSHCertificateTest.testAbortOnInvalidPrincipal[type=[rsa-sha2-512-cert-...@openssh.com, rsa-sha2-512]](org.apache.sshd.common.signature.OpenSSHCertificateTest) [ERROR] Run 1: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [ERROR] Run 2: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [ERROR] Run 3: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [INFO] [ERROR] org.apache.sshd.common.signature.OpenSSHCertificateTest.testAbortOnInvalidPrincipal[type=[ssh-rsa-cert-...@openssh.com, rsa-sha2-512]](org.apache.sshd.common.signature.OpenSSHCertificateTest) [ERROR] Run 1: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [ERROR] Run 2: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [ERROR] Run 3: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [INFO] [ERROR] org.apache.sshd.common.signature.OpenSSHCertificateTest.testAbortOnInvalidPrincipal[type=[ssh-rsa-cert-...@openssh.com, ssh-rsa]](org.apache.sshd.common.signature.OpenSSHCertificateTest) [ERROR] Run 1: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [ERROR] Run 2: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [ERROR] Run 3: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [INFO] [ERROR] org.apache.sshd.common.signature.OpenSSHCertificateTest.testAbortOnInvalidPrincipal[type=[ssh-rsa]](org.apache.sshd.common.signature.OpenSSHCertificateTest) [ERROR] Run 1: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [ERROR] Run 2: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [ERROR] Run 3: OpenSSHCertificateTest.testAbortOnInvalidPrincipal:174->Assert.assertEquals:633->Assert.assertEquals:647->Assert.failNotEquals:835->Assert.fail:89 expected:<3> but was:<0> [INFO] [ERROR] Errors: [ERROR] org.apache.sshd.common.signature.OpenSSHCertificateTest.testContinueOnInvalidPrincipal[type=[rsa-sha2-512-cert-...@openssh.com, rsa-sha2-512]](org.apache.sshd.common.signature.OpenSSHCertificateTest) [ERROR] Run 1: OpenSSHCertificateTest.testContinueOnInvalidPrincipal:156 » Ssh Session is bei... [ERROR] Run 2: OpenSSHCertificateTest.testContinueOnInvalidPrincipal:156 » Ssh Session is bei... [ERROR] Run 3: OpenSSHCertificateTest.testContinueOnInvalidPrincipal:156 » Ssh Session is bei... [INFO] [ERROR] org.apache.sshd.common.signature.OpenSSHCertificateTest.testContinueOnInvalidPrincipal[type=[ssh-rsa-cert-...@openssh.com, rsa-sha2-512]](org.apache.sshd.common.signature.OpenSSHCertificateTest) [ERROR] Run 1: OpenSSHCertificateTest.testContinueOnInvalidPrincipal:156 » Ssh Session is bei... [ERROR] Run 2: OpenSSHCertificateTest.testContinueOnInvalidPrincipal:156 » Ssh Session is bei... [ERROR] Run 3: OpenSSHCertificateTest.testContinueOnInvalidPrincipal:156 » Ssh Session is bei... [INFO] [ERROR] org.apache.sshd.common.signature.OpenSSHCertificateTest.testContinueOnInvalidPrincipal[type=[ssh-rsa-cert-...@openssh.com, ssh-rsa]](org.apache.sshd.common.signature.OpenSSHCertificateTest) [ERROR] Run 1: OpenSSHCertificateTest.testContinueOnInvalidPrincipal:156 » Ssh Session is bei... [ERROR] Run 2: OpenSSHCertificateTest.testContinueO