summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Wolf <thomas.wolf@paranor.ch>2021-06-29 23:08:02 +0200
committerThomas Wolf <thomas.wolf@paranor.ch>2021-07-16 08:45:23 +0200
commit4c5c3e9fb8e6f11cee3245a4b374a96b9a4f0ee4 (patch)
tree61b1ee58ee83c3b7c412cd19ad52ca2e98b4253a
parent27a1fa1872da9d0da9147941aa6b372dee48cefb (diff)
downloadjgit-4c5c3e9fb8e6f11cee3245a4b374a96b9a4f0ee4.tar.gz
jgit-4c5c3e9fb8e6f11cee3245a4b374a96b9a4f0ee4.zip
[sshd] Distinguish key type and signature algorithm for host key
Since the introduction of the rsa-sha2-512 and rsa-sha2-256 signature types, the key type for RSA is no longer automatically the signature algorithm. We re-order the list for the host key proposal such that keys we already have are preferred; this minimizes warnings about new host keys. When doing so, put all of rsa-sha2-512, rsa-sha2-256, and ssh-rsa at the front, in that order, not just ssh-rsa. This ensures that we do prefer RSA keys if we already have an RSA host key, but at the same time we still prefer the stronger signature algorithms over the weaker and deprecated SHA1-based ssh-rsa signature. It also helps avoid a bug found in some Github versions where the Github SSH server uses a rsa-sha2-512 signature even though ssh-rsa was negotiated.[1] [1] https://www.eclipse.org/forums/index.php/t/1108282/ Bug: 574635 Change-Id: I0a49dcfa0c2c93f23118c983cd0bc9e5a467d886 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
-rw-r--r--org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java6
1 files changed, 6 insertions, 0 deletions
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java
index 066cec38ba..2133a29ccc 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java
@@ -47,6 +47,7 @@ import org.apache.sshd.common.kex.KexProposalOption;
import org.apache.sshd.common.kex.KeyExchangeFactory;
import org.apache.sshd.common.kex.extension.KexExtensionHandler;
import org.apache.sshd.common.kex.extension.KexExtensions;
+import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.kex.extension.KexExtensionHandler.AvailabilityPhase;
import org.apache.sshd.common.util.Readable;
@@ -291,6 +292,11 @@ public class JGitClientSession extends ClientSessionImpl {
if (key != null) {
String keyType = KeyUtils.getKeyType(key);
if (keyType != null) {
+ if (KeyPairProvider.SSH_RSA.equals(keyType)) {
+ // Add all available signatures for ssh-rsa.
+ reordered.add(KeyUtils.RSA_SHA512_KEY_TYPE_ALIAS);
+ reordered.add(KeyUtils.RSA_SHA256_KEY_TYPE_ALIAS);
+ }
reordered.add(keyType);
}
}