David Handermann created NIFI-10586:
---------------------------------------
Summary: Prioritize ssh-rsa Key Algorithm in SFTP Processors
Key: NIFI-10586
URL: https://issues.apache.org/jira/browse/NIFI-10586
Project: Apache NiFi
Issue Type: Improvement
Components: Extensions
Affects Versions: 1.16.1, 1.17.0
Reporter: David Handermann
Assignee: David Handermann
SSHJ 0.33.0 included changes to depend on the Key Algorithms configuration
property to determine supported RSA algorithms for public key authentication.
[SSHJ PR 742|https://github.com/hierynomus/sshj/pull/742] standardized this
configuration, which prioritizes {{rsa-sha2-256}} and {{rsa-sha2-512}} before
the legacy {{ssh-rsa}} algorithm. [SSHJ PR
763|https://github.com/hierynomus/sshj/pull/763] introduced additional changes
to try all configured RSA algorithms, but it depends on the server indicating
support for retrying public key authentication after initial failures.
To maintain wider compatibility, the Apache NiFi SSH default configuration
should be adjusted to prioritize {{ssh-rsa}} before {{rsa-sha2}} algorithms,
using the method implemented in SSHJ 0.33.0 PR 742. This prioritization should
be enabled in the default SFTP Processor configuration where the {{Key
Algorithms Allowed}} property is not specified. Overriding the {{Key Algorithms
Allowed}} property should continue to support custom algorithm and selection
with defined prioritization.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
