tomaswolf commented on code in PR #449: URL: https://github.com/apache/mina-sshd/pull/449#discussion_r1442312630
########## CHANGES.md: ########## @@ -43,6 +44,15 @@ acknowledgements of a `receive` related command. The user is free to inspect the to handle it - including even throwing an exception if OK status (if this makes sense for whatever reason). The default implementation checks for ERROR code and throws an exception if so. +### OpenSSH protocol extension: strict key exchange + +[GH-445](https://github.com/apache/mina-sshd/issues/445) implements an extension to the SSH protocol introduced +in OpenSSH 9.6. This ["strict key exchange" extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL) +hardens the SSH key exchange against the ["Terrapin attack"](https://www.terrapin-attack.com/). The extension +is active if both parties announce their support for it at the start of the initial key exchange. If only one Review Comment: I'm aware of the option in JSch 0.2.15. A `CoreModuleProporties` property for requiring strict kex and failing the connection if strict kex is not negotiated in `negotiate()` could be considered, and could easily be added in a follow-up commit. Or we could add it to the negotiation result in a follow-up commit; then a `SessionListener.sessionNegotiationEnd()` could be used to close the connection by throwing an exception. To be really useful one would need the `~/.ssh/config` option, though. And as I wrote, I believe that should be done only if OpenSSH gets it, too. In any case, IMO this is something for follow-up changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
