Hi,
we have been using mina-sshd in oVirt Engine project for several years,
currently version 2.2.0. For historical reasons we allow only RSA keys and
recently we have found out an issue with CentOS 8 hosts with FIPS hardening
enabled, where they dropped support for rsa-sha1 (even though Centos 7 host
with FIPS supports it without any issue).
So we have found out that rsa-sha2 support has been added in mina-sshd
2.3.0, so we tried to upgrade our code to 2.4.0 and enable rsa-sha2 on the
client. Unfortunately we have found out that below example doesn't work:
SshClient sshClient = SshClient.setUpDefaultClient();
sshClient.setSignatureFactories(Arrays.<NamedFactory<Signature>>
asList(
BuiltinSignatures.rsaSHA512,
BuiltinSignatures.rsaSHA256,
BuiltinSignatures.rsa));
And following error is shown when client is connecting to CentOS 8 FIPS
server:
2020-05-28 17:50:32,851+02 WARN
[org.apache.sshd.client.session.ClientSessionImpl]
(sshd-SshClient[6cbf4142]-nio2-thread-4)
exceptionCaught(ClientSessionImpl[root@mperina-ce8-2/192.168.122.96:22])[state=Opened]
SignatureException: Signature encoding error
2020-05-28 17:50:32,852+02 WARN
[org.apache.sshd.client.session.ClientSessionImpl]
(sshd-SshClient[6cbf4142]-nio2-thread-4)
exceptionCaught(ClientSessionImpl[root@mperina-ce8-2/192.168.122.96:22])[state=Opened]
caused by IOException: ObjectIdentifier mismatch: 2.16.840.1.101.3.4.2.3
I've tried to test also mina-sshd from master and found out that this issue
was solved between 2.4.0 and current master. Unfortunately we cannot use
master snapshot in oVirt official releases, so I've tried to go over
commits, but so far I haven't been able to find out which commit fixed this
issue (most promising candidate
https://github.com/apache/mina-sshd/commit/982c842929aa6a76bcacd22f537532a35e656daf
haven't helped)
Do you have any idea which commit fixed the above error?
Thanks a lot for any help
Martin
--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.
