[
https://issues.apache.org/jira/browse/SSHD-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Nord updated SSHD-1264:
-----------------------------
Description:
when using mina as an ssh client to connect to an open ssh server the host key
algorithm that is negotiated on the initial connection can have a different
algorithm than the one used in a rekey.
This causes an issue as connections can be terminated if the initial host key
type is in the known hosts, (say ecdsa) but the subsequent on (rsa) is not.
once connected the same host key algorithm should be used in any subsequent
re-key events.
(see log attached from SSHD)
Note: this is easyish to see by setting opensshd server config `RekeyLimit
default 10` which will cause a rekey after 10 seconds on a data event.
e.g.
{noformat}
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 {noformat}
shows the flop from an agreed exchange of {{ecdsa-sha2-nistp256}} to
{{rsa-sha2-512}}
the end result is that if the rsa key is not known then the connection is killed
{{o.a.s.c.k.KnownHostsServerKeyVerifier#acceptModifiedServerKey:
acceptModifiedServerKey(ClientSessionImpl[jenkins@localhost/127.0.0.1:22])
mismatched keys presented by localhost/127.0.0.1:22 for entry=localhost
ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNZDNvKiE7VBVWziZUlICIpIEMhVy0nL3y2hHYRQGMOaWWPajP86ucgwgeXAWmJOxr4bqMtC9tF0vC1W2l8wYPM=:
expected=ecdsa-sha2-nistp256-SHA256:x5TMcz4T6ggPxxSbx6gfTzk8US6CLuxgmqXNXedu+6w,
actual=ssh-rsa-SHA256:W60YQsFuMkHf0flHrJFR31lvyYm7Y6BkEMkqHUTOpZQ}}
was:
when using mina as an ssh client to connect to an open ssh server the host key
algorithm that is negotiated on the initial connection can have a different
algorithm than the one used in a rekey.
This causes an issue as connections can be terminated if the initial host key
type is in the known hosts, (say ecdsa) but the subsequent on (rsa) is not.
once connected the same host key algorithm should be used in any subsequent
re-key events.
(see log attached from SSHD)
Note: this is easyish to see by setting opensshd server config `RekeyLimit
default 10` which will cause a rekey after 10 seconds on a data event.
e.g.
{noformat}
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 {noformat}
shows the flop from an agreed exchange of {{ecdsa-sha2-nistp256}} to
{{rsa-sha2-512}}
> different host key algorithm used on rekey than used for the initial
> connection
> -------------------------------------------------------------------------------
>
> Key: SSHD-1264
> URL: https://issues.apache.org/jira/browse/SSHD-1264
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.8.0
> Reporter: James Nord
> Priority: Major
> Attachments: sshd_log.txt
>
>
> when using mina as an ssh client to connect to an open ssh server the host
> key algorithm that is negotiated on the initial connection can have a
> different algorithm than the one used in a rekey.
> This causes an issue as connections can be terminated if the initial host key
> type is in the known hosts, (say ecdsa) but the subsequent on (rsa) is not.
> once connected the same host key algorithm should be used in any subsequent
> re-key events.
> (see log attached from SSHD)
> Note: this is easyish to see by setting opensshd server config `RekeyLimit
> default 10` which will cause a rekey after 10 seconds on a data event.
> e.g.
> {noformat}
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]
> debug1: kex: host key algorithm: rsa-sha2-512 {noformat}
> shows the flop from an agreed exchange of {{ecdsa-sha2-nistp256}} to
> {{rsa-sha2-512}}
> the end result is that if the rsa key is not known then the connection is
> killed
> {{o.a.s.c.k.KnownHostsServerKeyVerifier#acceptModifiedServerKey:
> acceptModifiedServerKey(ClientSessionImpl[jenkins@localhost/127.0.0.1:22])
> mismatched keys presented by localhost/127.0.0.1:22 for entry=localhost
> ecdsa-sha2-nistp256
> AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNZDNvKiE7VBVWziZUlICIpIEMhVy0nL3y2hHYRQGMOaWWPajP86ucgwgeXAWmJOxr4bqMtC9tF0vC1W2l8wYPM=:
>
> expected=ecdsa-sha2-nistp256-SHA256:x5TMcz4T6ggPxxSbx6gfTzk8US6CLuxgmqXNXedu+6w,
> actual=ssh-rsa-SHA256:W60YQsFuMkHf0flHrJFR31lvyYm7Y6BkEMkqHUTOpZQ}}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
