[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures
[ https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17087035#comment-17087035 ] Lyor Goldstein commented on SSHD-895: - {quote}m.. if it is like this, would it not get really worse if we add all the *-cert algorithms in SSHD-660?{quote} It would - we just need to make sure they are added only on the +server+ side - on the client side they will require +explicit+ setting {quote}users are still able to disable this in case they encounter such a server?{quote} They would - they can +explicitly+ set the supported algorithms on the client side > Add support for RSA + SHA-256/512 signatures > > > Key: SSHD-895 > URL: https://issues.apache.org/jira/browse/SSHD-895 > Project: MINA SSHD > Issue Type: Improvement >Affects Versions: 2.3.0 >Reporter: Lyor Goldstein >Assignee: Lyor Goldstein >Priority: Major > Fix For: 2.3.0 > > > See https://tools.ietf.org/html/rfc8332 - *Note:* > {quote} > Servers that accept rsa-sha2-* signatures for client authentication > SHOULD implement the extension negotiation mechanism defined in > [RFC8308], including especially the "server-sig-algs" extension. > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures
[ https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17087027#comment-17087027 ] FliegenKLATSCH commented on SSHD-895: - Hm.. if it is like this, would it not get really worse if we add all the *-cert algorithms in SSHD-660? I am not sure if two more or less really matter in that case? Also this would raise security and users are still able to disable this in case they encounter such a server? But anyhow thanks for the explanation. :) > Add support for RSA + SHA-256/512 signatures > > > Key: SSHD-895 > URL: https://issues.apache.org/jira/browse/SSHD-895 > Project: MINA SSHD > Issue Type: Improvement >Affects Versions: 2.3.0 >Reporter: Lyor Goldstein >Assignee: Lyor Goldstein >Priority: Major > Fix For: 2.3.0 > > > See https://tools.ietf.org/html/rfc8332 - *Note:* > {quote} > Servers that accept rsa-sha2-* signatures for client authentication > SHOULD implement the extension negotiation mechanism defined in > [RFC8308], including especially the "server-sig-algs" extension. > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures
[ https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17086503#comment-17086503 ] Lyor Goldstein commented on SSHD-895: - The comment simply says that there are servers that refuse to authenticate if the public key algorithms listed by the clients are not supported by the server. In other words, even if eventually the negotiated algorithm would be `ssh-rsa` some servers refuse to authenticate if the client lists algorithms they do not support. It contradicts SSH protocol behavior of course, but we want the default settings of MINA SSHD to provide the widest possible support - which means the most common "denominator". > Add support for RSA + SHA-256/512 signatures > > > Key: SSHD-895 > URL: https://issues.apache.org/jira/browse/SSHD-895 > Project: MINA SSHD > Issue Type: Improvement >Affects Versions: 2.3.0 >Reporter: Lyor Goldstein >Assignee: Lyor Goldstein >Priority: Major > Fix For: 2.3.0 > > > See https://tools.ietf.org/html/rfc8332 - *Note:* > {quote} > Servers that accept rsa-sha2-* signatures for client authentication > SHOULD implement the extension negotiation mechanism defined in > [RFC8308], including especially the "server-sig-algs" extension. > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
[jira] [Commented] (SSHD-895) Add support for RSA + SHA-256/512 signatures
[ https://issues.apache.org/jira/browse/SSHD-895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17086449#comment-17086449 ] FliegenKLATSCH commented on SSHD-895: - I don't understand the reason for not enabling rsaSHA512 and rsaSHA256 per default. Could you enlighten me? Does the comment {code:java} Implementation experience has shown that there are servers that apply authentication penalties to clients attempting public key algorithms that the SSH server does not support.{code} apply, if we first negotiate the algorithm with the server? I understand it the way that there are penalties if the client just tries an algorithm which was not negotiated? And I am not sure if the client would try a sha2 variant if the negotiated algorithm is `ssh-rsa`? > Add support for RSA + SHA-256/512 signatures > > > Key: SSHD-895 > URL: https://issues.apache.org/jira/browse/SSHD-895 > Project: MINA SSHD > Issue Type: Improvement >Affects Versions: 2.3.0 >Reporter: Lyor Goldstein >Assignee: Lyor Goldstein >Priority: Major > Fix For: 2.3.0 > > > See https://tools.ietf.org/html/rfc8332 - *Note:* > {quote} > Servers that accept rsa-sha2-* signatures for client authentication > SHOULD implement the extension negotiation mechanism defined in > [RFC8308], including especially the "server-sig-algs" extension. > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org