[jira] [Comment Edited] (SSHD-1259) DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in known_hosts

Mon, 04 Apr 2022 23:20:04 -0700 


    [ 
https://issues.apache.org/jira/browse/SSHD-1259?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17517244#comment-17517244
 ] 

Klaus Nguetsa edited comment on SSHD-1259 at 4/5/22 6:19 AM:
-------------------------------------------------------------

Yes I just saw it as well in the source code. The match is done with the 
hostname only and it returns after the first match. The fix should not be 
difficult. I will see when I can provide a PR for that


was (Author: JIRAUSER287562):
Yes I just saw it as well in the source code. The match is done with the 
hostname only and it returns after the first match. The fix should not be very 
difficult. I will see when I can provide a PR for that

> DefaultKnownHostsServerKeyVerifier not checking all Key algorithms present in 
> known_hosts
> -----------------------------------------------------------------------------------------
>
>                 Key: SSHD-1259
>                 URL: https://issues.apache.org/jira/browse/SSHD-1259
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 2.8.0
>            Reporter: Klaus Nguetsa
>            Priority: Major
>
> Hello everyone,
> Assuming I have the following known_hosts file containing twice the public 
> key of the same host but with different algorithms.:
>  
> {code:java}
> lserver1 ssh-dss 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> #
> lserver1 ecdsa-sha2-nistp256 
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX{code}
>  
>  
> During the connection when I use DefaultKnownHostsServerKeyVerifier  to 
> verify the keys, if the target host presents a ecdsa-sha2-nistp256 key, the 
> verification will fail because DefaultKnownHostsServerKeyVerifier  seems to 
> match to the first occurence of the hostname in the know_host file. Therefore 
> It will match the key _lserver1 ssh-dss XXXXXXXXXXXX..._ and the comparison 
> to the same key but with ecdsa-sha2-nistp256 algorithm presented by the 
> target host will fail. Shouldn't it iterate through the file until the right 
> combination (hostname, algorithm) is found?  This way it could check with 
> lserver1 ecdsa-sha2-nistp256 XXXX..... instead of lserver1 ssh-dss XXXXX......
> This works fine with openssh. 
> Thanks
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to