mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alon Bar-Lev <alon.bar...@gmail.com>
Subject Selecting a specific KEX signature at client for server key
Date Thu, 17 Dec 2015 16:19:07 GMT
Hello,

I have a challenge...

Let's assume I need to securely reconnect to a server, for that purpose I
store its public key. Every time I connect to this server I compare the
public key accepted by ServerKeyVerifier with the public key that is
approved.

This works perfectly and securely, well, until server adds a stronger
algorithm/public key, for example, a server with ssh-rsa key adds
ecdsa-sha2-nistp256 one.

In this case KEX selects the stronger one, causing client to reject the
server as  public key differs.

I found a solution to this problem is to limit the signature algorithms
based on the public key type. We know the public key, so we can limit the
KEX to use only this type of signature, for example, assuming the approved
key is ssh-rsa we can:


client.setSignatureFactories(Collections.singletonList(BuiltinSignatures.rsa))

Now, even if the server has ecdsa-sha2-nistp256 key, the client will only
receive the ssh-rsa key.

This works find as long as password authentication is used.

However, as the signature factory is common to both client and server KEX,
this will not work in all cases for public key authentication, as the
factory must contain the union of both, for example:

 server has both ssh-rsa and ecdsa-sha2-nistp256 keys.
 client caches the ssh-rsa.
 client key is ecdsa-sha2-nistp256.
 client must enable both rsa and nistp256 signatures for KEX to succeed.
 server key will be ecdsa-sha2-nistp256 as it is the strongest among
ssh-rsa and ecdsa-sha2-nistp256.

Keep in mind that my understanding of the code is limited, I reviewed the
session callbacks, but from what I do understand there is no way to
separate KEX algorithms of server from these of client, as both are in the
same base class KexFactoryManager.

If I understand correctly, a solution could be implemented by having two
signature factories, one for client side and one for server side, or have a
filter for client and server, to enable forcing a specific set of algorithm
for each side.

Maybe I mis-read the code and there is an option of forcing server to use a
specific key differently.

Any clue?

Thanks,
Alon Bar-Lev.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message