[sshd] Distinguish key type and signature algorithm for host key
Since the introduction of the rsa-sha2-512 and rsa-sha2-256 signature types, the key type for RSA is no longer automatically the signature algorithm. We re-order the list for the host key proposal such that keys we already have are preferred; this minimizes warnings about new host keys. When doing so, put all of rsa-sha2-512, rsa-sha2-256, and ssh-rsa at the front, in that order, not just ssh-rsa. This ensures that we do prefer RSA keys if we already have an RSA host key, but at the same time we still prefer the stronger signature algorithms over the weaker and deprecated SHA1-based ssh-rsa signature. It also helps avoid a bug found in some Github versions where the Github SSH server uses a rsa-sha2-512 signature even though ssh-rsa was negotiated.[1] [1] https://www.eclipse.org/forums/index.php/t/1108282/ Bug: 574635 Change-Id: I0a49dcfa0c2c93f23118c983cd0bc9e5a467d886 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
This commit is contained in:
parent
27a1fa1872
commit
4c5c3e9fb8
|
@ -47,6 +47,7 @@
|
|||
import org.apache.sshd.common.kex.KeyExchangeFactory;
|
||||
import org.apache.sshd.common.kex.extension.KexExtensionHandler;
|
||||
import org.apache.sshd.common.kex.extension.KexExtensions;
|
||||
import org.apache.sshd.common.keyprovider.KeyPairProvider;
|
||||
import org.apache.sshd.common.signature.BuiltinSignatures;
|
||||
import org.apache.sshd.common.kex.extension.KexExtensionHandler.AvailabilityPhase;
|
||||
import org.apache.sshd.common.util.Readable;
|
||||
|
@ -291,6 +292,11 @@ protected String resolveAvailableSignaturesProposal(
|
|||
if (key != null) {
|
||||
String keyType = KeyUtils.getKeyType(key);
|
||||
if (keyType != null) {
|
||||
if (KeyPairProvider.SSH_RSA.equals(keyType)) {
|
||||
// Add all available signatures for ssh-rsa.
|
||||
reordered.add(KeyUtils.RSA_SHA512_KEY_TYPE_ALIAS);
|
||||
reordered.add(KeyUtils.RSA_SHA256_KEY_TYPE_ALIAS);
|
||||
}
|
||||
reordered.add(keyType);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue