[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures

2020-04-19 Thread Lyor Goldstein (Jira) 


[ 
https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17087035#comment-17087035
 ] 

Lyor Goldstein commented on SSHD-895:
-

{quote}m.. if it is like this, would it not get really worse if we add all the 
*-cert algorithms in SSHD-660?{quote}

It would - we just need to make sure they are added only on the +server+ side - 
on the client side they will require +explicit+ setting

{quote}users are still able to disable this in case they encounter such a 
server?{quote}

They would - they can +explicitly+ set the supported algorithms on the client 
side

> Add support for RSA + SHA-256/512 signatures
> 
>
> Key: SSHD-895
> URL: https://issues.apache.org/jira/browse/SSHD-895
> Project: MINA SSHD
>  Issue Type: Improvement
>Affects Versions: 2.3.0
>Reporter: Lyor Goldstein
>Assignee: Lyor Goldstein
>Priority: Major
> Fix For: 2.3.0
>
>
> See https://tools.ietf.org/html/rfc8332 - *Note:*
> {quote}
> Servers that accept rsa-sha2-* signatures for client authentication
> SHOULD implement the extension negotiation mechanism defined in
> [RFC8308], including especially the "server-sig-algs" extension.
> {quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures

2020-04-19 Thread FliegenKLATSCH (Jira) 


[ 
https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17087027#comment-17087027
 ] 

FliegenKLATSCH commented on SSHD-895:
-

Hm.. if it is like this, would it not get really worse if we add all the *-cert 
algorithms in SSHD-660?

I am not sure if two more or less really matter in that case? Also this would 
raise security and users are still able to disable this in case they encounter 
such a server?
But anyhow thanks for the explanation. :)

> Add support for RSA + SHA-256/512 signatures
> 
>
> Key: SSHD-895
> URL: https://issues.apache.org/jira/browse/SSHD-895
> Project: MINA SSHD
>  Issue Type: Improvement
>Affects Versions: 2.3.0
>Reporter: Lyor Goldstein
>Assignee: Lyor Goldstein
>Priority: Major
> Fix For: 2.3.0
>
>
> See https://tools.ietf.org/html/rfc8332 - *Note:*
> {quote}
> Servers that accept rsa-sha2-* signatures for client authentication
> SHOULD implement the extension negotiation mechanism defined in
> [RFC8308], including especially the "server-sig-algs" extension.
> {quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures

2020-04-18 Thread Lyor Goldstein (Jira) 


[ 
https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17086503#comment-17086503
 ] 

Lyor Goldstein commented on SSHD-895:
-

The comment simply says that there are servers that refuse to authenticate if 
the public key algorithms listed by the clients are not supported by the 
server. In other words, even if eventually the negotiated algorithm would be 
`ssh-rsa` some servers refuse to authenticate if the client lists algorithms 
they do not support. It contradicts SSH protocol behavior of course, but we 
want the default settings of MINA SSHD to provide the widest possible support - 
which means the most common "denominator".

> Add support for RSA + SHA-256/512 signatures
> 
>
> Key: SSHD-895
> URL: https://issues.apache.org/jira/browse/SSHD-895
> Project: MINA SSHD
>  Issue Type: Improvement
>Affects Versions: 2.3.0
>Reporter: Lyor Goldstein
>Assignee: Lyor Goldstein
>Priority: Major
> Fix For: 2.3.0
>
>
> See https://tools.ietf.org/html/rfc8332 - *Note:*
> {quote}
> Servers that accept rsa-sha2-* signatures for client authentication
> SHOULD implement the extension negotiation mechanism defined in
> [RFC8308], including especially the "server-sig-algs" extension.
> {quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures

2020-04-18 Thread FliegenKLATSCH (Jira) 


[ 
https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17086449#comment-17086449
 ] 

FliegenKLATSCH commented on SSHD-895:
-

I don't understand the reason for not enabling rsaSHA512  and rsaSHA256 per 
default. Could you enlighten me?

Does the comment 
{code:java}
Implementation experience has shown that there are servers that apply
authentication penalties to clients attempting public key algorithms
that the SSH server does not support.{code}
apply, if we first negotiate the algorithm with the server?

I understand it the way that there are penalties if the client just tries an 
algorithm which was not negotiated?

And I am not sure if the client would try a sha2 variant if the negotiated 
algorithm is `ssh-rsa`?

> Add support for RSA + SHA-256/512 signatures
> 
>
> Key: SSHD-895
> URL: https://issues.apache.org/jira/browse/SSHD-895
> Project: MINA SSHD
>  Issue Type: Improvement
>Affects Versions: 2.3.0
>Reporter: Lyor Goldstein
>Assignee: Lyor Goldstein
>Priority: Major
> Fix For: 2.3.0
>
>
> See https://tools.ietf.org/html/rfc8332 - *Note:*
> {quote}
> Servers that accept rsa-sha2-* signatures for client authentication
> SHOULD implement the extension negotiation mechanism defined in
> [RFC8308], including especially the "server-sig-algs" extension.
> {quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org