[jira] [Updated] (SSHD-1259) DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in known_hosts

Mon, 04 Apr 2022 07:10:26 -0700 


     [ 
https://issues.apache.org/jira/browse/SSHD-1259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Klaus Nguetsa updated SSHD-1259:
--------------------------------
    Summary: DefaultKnownHostsServerKeyVerifier not checking all Key algorithms 
present in known_hosts  (was: DefaultKnownHostsServerKeyVerifier not checking 
all Key algorithms)

> DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in 
> known_hosts
> -----------------------------------------------------------------------------------------
>
>                 Key: SSHD-1259
>                 URL: https://issues.apache.org/jira/browse/SSHD-1259
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.8.0
>            Reporter: Klaus Nguetsa
>            Priority: Major
>
> Hello everyone,
> Assuming I have the following known_hosts file containing twice the public 
> key of the same host but with different algorithms.:
>  
> {code:java}
> lserver1 ssh-dss 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> #
> lserver1 ecdsa-sha2-nistp256 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{code}
>  
>  
> During the connection when I use DefaultKnownHostsServerKeyVerifier  to 
> verify the keys, if the target host presents a ecdsa-sha2-nistp256 key, the 
> verification will fail because DefaultKnownHostsServerKeyVerifier  seems to 
> match to the first occurence of the hostname in the know_host file. Therefore 
> It will match the key _lserver1 ssh-dss XXXXXXXXXXXX..._ and the comparison 
> to the same key but with ecdsa-sha2-nistp256 algorithm presented by the 
> target host will fail. Shouldn't it iterate through the file until the right 
> combination (hostname, algorithm) is found?  This way it could check with 
> lserver1 ecdsa-sha2-nistp256 XXXX..... instead of lserver1 ssh-dss XXXXX......
> This works fine with openssh. 
> Thanks
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to