Public key authentication only possible with host key types #600
Comments
|
Having consulted the relevant RFC again, I think that the approach used here is not necessarily incorrect, it would just need to additionally allow all non-RSA key algorithms for public keys. This would still allow to choose the ssh-rsa signature algorithm based on what the server host key uses. An alternative solution could be to always send multiple userauth requests when an ssh-rsa public key is used, corresponding to the three different hash algorithms SHA1, SHA-256 and SHA-512. |
|
Note that this can't be caught by tests right now since the server comes with RSA, ED25519 and ECDSA host keys. |
|
With this, all issues we have identified using SSHJ over at Password Store have now been fixed. |
|
Cool! I'll try to release a new version this week... There is one other PR I want to have a look at ;) |
Do you know whether you will get around to cut a release this week? Over at Password Store, we will have a release coming up the week after and it would help us to plan it if we knew whether SSHJ 0.30.0 will be available in time. |
|
Hi,
I'm offline this week for holidays ;) I'll work on it coming week.
Regards,
Jeroen
Op do 13 aug. 2020 om 10:42 schreef Fabian Henneke <notifications@github.com
…:
Cool! I'll try to release a new version this week... There is one other PR
I want to have a look at ;)
Do you know whether you will get around to cut a release this week? Over
at Password Store, we will have a release coming up the week after and it
would help us to plan it if we knew whether SSHJ 0.30.0 will be available
in time.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#600 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4XI2MAHO6BQVRSEUPQIDSAORP7ANCNFSM4N6APDFA>
.
|
|
Thanks for the info (and the work on sshj in general), enjoy your time off! |
|
v0.30.0 is released, I still need to update the Release notes, but wanted
to let you know.
Op vr 14 aug. 2020 om 12:40 schreef Fabian Henneke <notifications@github.com
…:
Thanks for the info (and the work on sshj in general), enjoy your time off!
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#600 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA4XI6GIBVWEXOPWMPYS5TSAUIC7ANCNFSM4N6APDFA>
.
|
|
Thanks for the heads-up! |
Since 9671352, it seems that public key authentication can only succeed if the key type is also a host key type supported by the server.
I believe that the root cause of this is 9671352#diff-521b24d9ed9094555c19f59ffa14e862R235-R239, where the "signature algorithms" (i.e.
server_host_key_algorithmsper the SSH spec) are used to populate the factory that is later used to send and sign with public keys.I would think that that the list of
KeyAlgorithmfactories should rather be populated directly from the config as it does not require negotiation with the server.KeyedAuthMethod.javawould then need to be changed to use those factories instead of askingTransportfor them.The text was updated successfully, but these errors were encountered: