Error while using `ed25519` for host key and `rsa` for authorization

Question

Error while using `ed25519` for host key and `rsa` for authorization

Anddd7 opened this issue 6 years ago · 1 comments

Hello, I'm a newer here.

I use atmoz/sftp, which is using ssh-ed25519 to verify the host key and ssh-rsa to authorize login user, to setup a sftp server in docker and try to use sshj to connect it.

// Docker
docker run \
 -v /mydir/id_rsa.pub:/home/foo/.ssh/keys/id_rsa.pub:ro \
 -v /mydir/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key \
 -v /mydir/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key \
 -v /shared:/home/foo \
 -p 2222:22 \
 -d atmoz/sftp \
 foo::1001

I use the default config to connect, it throw an error:

// Code
val ssh = SSHClient()

// Log
Can not connect remote server: Could not verify `ssh-rsa` host key with fingerprint `6d:4a:ab:ab:fe:4d:0d:6f:28:3a:d1:a7:a2:ef:8f:84` for `localhost` on port 2222

And my known_hosts is: [localhost]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICJvGoR2swFI20//fm5a2rXygz3rA4Vk9AggWOWdPwy3

I guess it use a wrong algorithm, so I modify the order of signature factories:

// Code
val config = DefaultConfig()
config.setSignatureFactories(
    SignatureEdDSA.Factory(),    // it's the last one by default
    SignatureECDSA.Factory256(),
    SignatureECDSA.Factory384(),
    SignatureECDSA.Factory521(),
    SignatureRSA.Factory(),
    SignatureDSA.Factory()
)
ssh = SSHClient(config)

Then it works.

I'm not sure this is the right solution. Can anyone help me to understand this?

Answer 1 · 2018-11-16T09:06:34.000Z

You've given the SFTP server 2 keys (ssh-rsa and ssh-ed25519), but you've only trusted the ssh-ed25519 key in your known_hosts. The server and client however negotiate the SignatureRSA algorithm as that is higher up in the list. I'll reorder the list to ensure that the 'most secure' is on top.
Thanks!