[
https://issues.apache.org/jira/browse/SSHD-1216?focusedWorklogId=665966&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-665966
]
ASF GitHub Bot logged work on SSHD-1216:
----------------------------------------
Author: ASF GitHub Bot
Created on: 17/Oct/21 00:49
Start Date: 17/Oct/21 00:49
Worklog Time Spent: 10m
Work Description: benhumphreys commented on pull request #204:
URL: https://github.com/apache/mina-sshd/pull/204#issuecomment-944823080
Many thanks for this @tomaswolf
I've dropped a snapshot build of your branch into Bitbucket Server to do
some testing and it looks great! I've tested with OpenSSH 8.1p1 and 8.8p1 and
it works as expected, with both resulting in the use of `rsa-sha2-512`.
I've also tested with OpenSSH 6.6.1p1 and it works as I'd expect; it doesn't
send `server-sig-algs` because the client doesn't send `ext-info-s`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 665966)
Time Spent: 40m (was: 0.5h)
> Implement RFC 8332 server-sig-algs on the server
> ------------------------------------------------
>
> Key: SSHD-1216
> URL: https://issues.apache.org/jira/browse/SSHD-1216
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Ben Humphreys
> Assignee: Thomas Wolf
> Priority: Major
> Fix For: 2.7.1
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> In the recently released [OpenSSH
> 8.8|https://www.openssh.com/txt/release-8.8] for RSA keys the public key
> signature algorithm that depends on SHA-1 has been disabled by default:
> {quote}This release disables RSA signatures using the SHA-1 hash algorithm
> 2by default. This change has been made as the SHA-1 hash algorithm is
> cryptographically broken, and it is possible to create chosen-prefix 4hash
> collisions for <USD$50K [1]
> {quote}
> As a result OpenSSH 8.8 clients are unable to authenticate with Mina SSHD
> servers with RSA based keys (it is however possible to reenable ssh-rsa).
> OpenSSH since 7.2 does however support RFC 8332 RSA/SHA-256/512 signatures,
> indeed the release notes go on to say:
> {quote}
> For most users, this change should be invisible and there is no need to
> replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512
> signatures since release 7.2 and existing ssh-rsa keys will automatically use
> the stronger algorithm where possible.
> {quote}
> It appears Mina SSHD partly implements support for RFC 8332, indeed the
> client code appears to support it (see SSHD-1141). However the server appears
> to lack full support because it doesn't full implement the"server-sig-algs"
> extension.
> The basic framework for supporting this seems to be present, specifically
> {{AbstractKexFactoryManager.setKexExtensionHandler()}} could perhaps permit
> such a "server-sig-algs" extension.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
