-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for optional fallback to ssh-rsa public key algorithm in case target server doesn't support "server-sig-algs" extension #262
Comments
I'm afraid it won't. The problem (or sort of) lies in com.jcraft.jsch.UserAuthPublicKey class.
I'm quite sure it will also occur in latest library version, even though i physically checked it only with 0.1.72. According to the diffs, there were no notable changes in the logic in this class between those versions. I'll double-check the bahaviour on monday. I'm 100% sure i had ssh-rsa enabled, which is also the default in 0.1.72. In fact, the only workaround i've found was explicitly disabling rsa-sha2-512 and rsa-sha2-256 in config. Then it works like a charm, but the solution is less then ideal, since i'd have to restore algorithms manually if the client upgrades his server |
Hi @jgolda, We're unlikely to approve anything that would automagically re-add ssh-rsa, since RSA/SHA1 is insecure. Can you enable logging in JSch and send over all the logging output? That may help us to better understand what is causing an issue for you. Thanks, |
If you're not planning to approve such fix, even though it's suggested in RFC as a way of supporting legacy servers, then this issue can be closed. I'll work around the problem on application side, it shouldn't be a big deal, just thought that a fix in library might be beneficial to other users. I think the logs won't tell you much more than the scenario in my previous comment, since the server behaves in an odd way - as if it was written with assumption that ssh-rsa is and will be the only supported algorithm, even thought the original RFC states differently. If you still need it, i'll post it on monday. If not, feel free to close this issue. Thank you for your time :) |
Hi @jgolda, When you cited RFC 8332 section 3.3, you left out the following important sentence:
RSA/SHA1 is widely considered to be cryptographically insecure now, so we're unlikely to be convinced to reenable it by default. Additionally, JSch isn't the only SSH client that doesn't enable ssh-rsa by default either: OpenSSH has disabled it by default for awhile as well. That said, I'm not sure I fully grasp what the issue you are seeing is, which is why I asked if you could provide a copy of the JSch logs, so that I could perhaps better understand and determine if there are any other alternative workarounds that could be implemented (or if there is perhaps even some other latent bug in JSch that is triggering the issue you are seeing). Thanks, |
Sure, i get your point about security and agree with it. I'd also rather work with servers which are up to date and implement the RFCs fully and correctly, but unfortunatelly it's not always the case |
Connection log: I think it's worth noticing, that the target server doesn't send SSH_MSG_EXT_INFO |
Hi @jgolda, Is this the literal remote version string the server sent, or did you mask it?
I also find it odd that the server seemed to support
Thanks, |
Nope, the remote_server_name is a replacement for the actual name. I had to replace it, since the name was nothing i could google, and giving it out might identify our client. The second part is the thing i was trying to get through in every comment from the very beginning. I'm quite sure the server doesn't support anything except ssh-rsa and even worse, i think it doesn't support negotiation of the algorithm. It's possible that the server was implemented in the stone age, when there was nothing except ssh-rsa, even far away on the horizon. I guess the implementors simply skipped the part which determines if the server supports some algorithm and hardcoded a preauth succes, because... "Come on, why would anyone need anything better then ssh-rsa?" :D It could explain such weird behaviour and it also matches the RFC description of a legacy server's behaviour i cited in the original post. I wasn't actually talking about implicit restoring of ssh-rsa, rather than falling back to it in case this feature (fallback) is enabled in config and the target server doesn't send the SSH_MSG_EXT_INFO (or server-sig-algs, which is inside), which could indicate that it doesn't support anything except ssh-rsa and negotiation might fail. Sorry if i didn't make it clear enough. Best regards, |
Can you provide any sort of details as to what type of server software you are dealing with?
Well, we know that the server supports
That sort of behavior would seem to violate RFC 8308 section 3.1's definition of the
Additionally, RFC 8332 section 3.3 only states a server
|
Frankly i don't even know it myself, since i don't recognise the name and it doesn't show up in google. It might be proprietary or custom.
I believe i provided all RFC backup to support my point of view in the original post. If you disagree, please close this issue. I'm already working around this problem on the application side, so it's not a big deal for me |
Hi @jgolda, Would you be able to test a build from my PR #264 from the below location and see if it works for you if when you don't hardcode JSch to only accept https://github.com/mwiede/jsch/suites/10561053626/artifacts/525493489 This PR has the following change applied that may help address the issue you have with this server:
Another user reported a server that behaves similarly to yours in #271. Thanks, |
Sorry for the delay, i thought you rejected this issue and i missed the email notification. It still doesn't work with 0.2.7, this time the server rejects the second attempt with public key and disconnects. I could work around it by setting the "enable_pubkey_auth_query", but i cannot do this on a per client basis in my app for now, so i stick with setting of ssh-rsa algorithm - i have it handled already on application side. I don't really need this feature anymore Log: And the exception thrown: |
Hello,
I'm using your implemetation of JSch in a project done at the company i work for. After upgrading from 0.1.55 to 0.1.72 i faced problems with an SFTP server, which doesn't support server-sig-algs extension and most likely doesn't support rsa-sha2-256 or rsa-sha2-512 as well. Most likely it's legacy AF and should be updated or replaced, but the company's client still uses it and it might not be possible to persuade him to move to anything else.
Unfortunatelly this server also fails to correctly follow the public key authentication flow as described in RFC 4252 section 7. It responds to initial SSH_MSG_USERAUTH_REQUEST containing one of the above algorithms with SSH_MSG_USERAUTH_PK_OK, but then it returns SSH_MSG_USERAUTH_FAILURE in response to the second one, resulting with authentication failure.
It sounds quite incorrect given the requirements specified in RFC. On the other hand, this behaviour is also described in RFC 8332, section 3.3:
"Implementation experience has shown that there are servers that apply
authentication penalties to clients attempting public key algorithms
that the SSH server does not support.
(...)
When authenticating with an RSA key against a server that does not
implement the "server-sig-algs" extension, clients MAY default to an
"ssh-rsa" signature to avoid authentication penalties."
I need to handle it this way or another so I'm thinking about contributing this feature to JSch if you consider that it's worth introducing to the project. It sounds quite doable. If not, i'll have to work around it in some other way in the application space.
Please let me know of your thoughts on this.
Best regards,
Jacek
@edit: fixed version numbers in the second sentence
The text was updated successfully, but these errors were encountered: