Closed stasal closed 9 months ago
On the client side, it should indeed ignore unknown key types (and not do anything if it cannot deal with any of the keys).
On the server side, it should fail if it ever gets a key that it cannot handle. And it probably should even check that all the keys it gets in that request are keys the server proposed before. Otherwise some malicious or broken client is sending challenges for keys the server never proposed.
Seeing this as well. The EdDSA provider from net.i2p.crypto:eddsa is extremely out of date, and doesn't work on newer versions of Java, as it uses removed internal API's. Removing that dependency causes any client connection to our host to log this error. Posting so I can be updated if/when a fix is pushed.
Version
2.9.2
Bug description
When receiving
hostkeys-00@openssh.com
request, client by default usesorg.apache.sshd.client.global.OpenSshHostKeysHandler
to process it. This handler'shandleHostKeys
method does nothing but logging keys when debug is enabled.But there is no exception handling in parent
org.apache.sshd.common.global.org.apache.sshd.common.global.AbstractOpenSshHostKeysHandler
class.Therefore if the host sends two keys (one RSA and one EdDSA for example), but the client only supports RSA, the exception is being propagated from the
org.apache.sshd.common.global.AbstractOpenSshHostKeysHandler#process
method and the host's request is processed as failed and the WARN message is generated in logs.Actual behavior
Example:
WARN 40340 --- []-nio2-thread-3] o.a.s.c.session.ClientConnectionService : globalRequest(ClientConnectionService[ClientSessionImpl[test@localhost/127.0.0.1:2222]])[hostkeys-00@openssh.com, want-reply=false] failed (SshException) to process: EdDSA provider not supported
Expected behavior
No warns are logged, and only the supported keys are handled by
org.apache.sshd.client.global.OpenSshHostKeysHandler#handleHostKeys
Relevant log output
Other information
No response