Klaus Nguetsa created SSHD-1259:
-----------------------------------
Summary: DefaultKnownHostsServerKeyVerifier not checking all Key
algorithms
Key: SSHD-1259
URL: https://issues.apache.org/jira/browse/SSHD-1259
Project: MINA SSHD
Issue Type: Bug
Affects Versions: 2.8.0
Reporter: Klaus Nguetsa
Assuming I have the following know_hosts file containing twice the public key
of the same host but with different algorithms.:
{code:java}
lserver1 ssh-dss
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#
lserver1 ecdsa-sha2-nistp256
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{code}
During the connection when I use DefaultKnownHostsServerKeyVerifier to verify
the keys, if the target host presents a ecdsa-sha2-nistp256 key, the
verification will fail because DefaultKnownHostsServerKeyVerifier seems to
match to the first occurence of the hostname in the know_host file. Therefore
It will match the key _lserver1 ssh-dss XXXXXXXXXXXX..._ and the comparison to
the same key but with ecdsa-sha2-nistp256 algorithm presented by the target
host will fail. Shouldn't it iterate through the file until the right
combination (hostname, algorithm) is found? This way it could check with
lserver1 ecdsa-sha2-nistp256 XXXX..... instead of lserver1 ssh-dss XXXXX......
This works fine with openssh.
Thanks
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
