From b632a9ce0f0f64923e10f2795e3f3abf68a75e5e Mon Sep 17 00:00:00 2001 From: DRC Date: Tue, 15 Oct 2024 17:10:56 -0400 Subject: [PATCH] JSch: Fix detection of supported RSA sig schemes KeyExchange.guess() only returns the first server/client match for each category, and the client algorithms are taken from the HostKeyAlgorithms OpenSSH config file keyword rather than the PubkeyAcceptedAlgorithms keyword. Thus, fd34df2ca25f99288f0569511b68f107c289e7b1 effectively made it so that an RSA signature scheme could only be used if it was the first server-supported algorithm listed with the HostKeyAlgorithms keyword. Instead, set Session.supportedRSAMethods to the list of RSA signature schemes that the server supports, and attempt to use the first one of those algorithms that is specified with PubkeyAcceptedAlgorithms. This fulfills the intent of fd34df2ca25f99288f0569511b68f107c289e7b1 and emulates the behavior of OpenSSH. --- ChangeLog.md | 5 +++++ java/com/jcraft/jsch/KeyExchange.java | 17 +++++++++++++++-- java/com/jcraft/jsch/Session.java | 7 +------ java/com/jcraft/jsch/UserAuthPublicKey.java | 17 +++++++---------- 4 files changed, 28 insertions(+), 18 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 2eb4dbb44..d975706ba 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -20,6 +20,11 @@ advertises support for the pseudo-encoding. (The next major release of the TurboVNC Server will forego using the extension unless the VNC viewer advertises support for it.) +5. Fixed an issue in the TurboVNC Viewer's built-in SSH client whereby the +`ssh-rsa` and `rsa-sha2-512` signature schemes could not be used unless they +were specified as the first argument for the `HostKeyAlgorithms` OpenSSH config +file keyword or the server did not support `rsa-sha2-256`. + 3.1.2 ===== diff --git a/java/com/jcraft/jsch/KeyExchange.java b/java/com/jcraft/jsch/KeyExchange.java index 6334ef8df..9062f8d14 100644 --- a/java/com/jcraft/jsch/KeyExchange.java +++ b/java/com/jcraft/jsch/KeyExchange.java @@ -1,7 +1,7 @@ /* -*-mode:java; c-basic-offset:2; indent-tabs-mode:nil -*- */ /* Copyright (c) 2002-2018 ymnk, JCraft,Inc. All rights reserved. -Copyright (c) 2018 D. R. Commander. All rights reserved. +Copyright (c) 2018, 2024 D. R. Commander. All rights reserved. Copyright (c) 2020 Jeremy Norris. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -31,6 +31,8 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING package com.jcraft.jsch; +import java.util.Vector; + public abstract class KeyExchange{ static final int PROPOSAL_KEX_ALGS=0; @@ -91,7 +93,7 @@ public String getKeyAlgorithName() { return key_alg_name; } - protected static String[] guess(byte[]I_S, byte[]I_C){ + protected static String[] guess(Session session, byte[]I_S, byte[]I_C){ String[] guess=new String[PROPOSAL_MAX]; Buffer sb=new Buffer(I_S); sb.setOffSet(17); Buffer cb=new Buffer(I_C); cb.setOffSet(17); @@ -115,6 +117,17 @@ protected static String[] guess(byte[]I_S, byte[]I_C){ int j=0; int k=0; + if(i==PROPOSAL_SERVER_HOST_KEY_ALGS) { + String smethods=new String(sp); + + if(smethods.matches("(^|.*,)ssh-rsa(,.*|$)")) + session.supportedRSAMethods.addElement("ssh-rsa"); + if(smethods.matches("(^|.*,)rsa-sha2-256(,.*|$)")) + session.supportedRSAMethods.addElement("rsa-sha2-256"); + if(smethods.matches("(^|.*,)rsa-sha2-512(,.*|$)")) + session.supportedRSAMethods.addElement("rsa-sha2-512"); + } + loop: while(j0){ for(int j=0; j