Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.8.0
-
None
Description
when using mina as an ssh client to connect to an open ssh server the host key algorithm that is negotiated on the initial connection can have a different algorithm than the one used in a rekey.
This causes an issue as connections can be terminated if the initial host key type is in the known hosts, (say ecdsa) but the subsequent on (rsa) is not.
once connected the same host key algorithm should be used in any subsequent re-key events.
(see log attached from SSHD)
Note: this is easyish to see by setting opensshd server config `RekeyLimit default 10` which will cause a rekey after 10 seconds on a data event.
e.g.
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth] debug1: kex: host key algorithm: rsa-sha2-512
shows the flop from an agreed exchange of ecdsa-sha2-nistp256 to rsa-sha2-512
the end result is that if the rsa key is not known then the connection is killed
o.a.s.c.k.KnownHostsServerKeyVerifier#acceptModifiedServerKey: acceptModifiedServerKey(ClientSessionImpl[jenkins@localhost/127.0.0.1:22]) mismatched keys presented by localhost/127.0.0.1:22 for entry=localhost ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNZDNvKiE7VBVWziZUlICIpIEMhVy0nL3y2hHYRQGMOaWWPajP86ucgwgeXAWmJOxr4bqMtC9tF0vC1W2l8wYPM=: expected=ecdsa-sha2-nistp256-SHA256:x5TMcz4T6ggPxxSbx6gfTzk8US6CLuxgmqXNXedu+6w, actual=ssh-rsa-SHA256:W60YQsFuMkHf0flHrJFR31lvyYm7Y6BkEMkqHUTOpZQ
