[ https://issues.apache.org/jira/browse/SSHD-1259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Klaus Nguetsa updated SSHD-1259: -------------------------------- Summary: DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in known_hosts (was: DefaultKnownHostsServerKeyVerifier not checking all Key algorithms) > DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in > known_hosts > ----------------------------------------------------------------------------------------- > > Key: SSHD-1259 > URL: https://issues.apache.org/jira/browse/SSHD-1259 > Project: MINA SSHD > Issue Type: Bug > Affects Versions: 2.8.0 > Reporter: Klaus Nguetsa > Priority: Major > > Hello everyone, > Assuming I have the following known_hosts file containing twice the public > key of the same host but with different algorithms.: > > {code:java} > lserver1 ssh-dss > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > # > lserver1 ecdsa-sha2-nistp256 > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{code} > > > During the connection when I use DefaultKnownHostsServerKeyVerifier to > verify the keys, if the target host presents a ecdsa-sha2-nistp256 key, the > verification will fail because DefaultKnownHostsServerKeyVerifier seems to > match to the first occurence of the hostname in the know_host file. Therefore > It will match the key _lserver1 ssh-dss XXXXXXXXXXXX..._ and the comparison > to the same key but with ecdsa-sha2-nistp256 algorithm presented by the > target host will fail. Shouldn't it iterate through the file until the right > combination (hostname, algorithm) is found? This way it could check with > lserver1 ecdsa-sha2-nistp256 XXXX..... instead of lserver1 ssh-dss XXXXX...... > This works fine with openssh. > Thanks > -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org