https://bugs.kde.org/show_bug.cgi?id=443155
Brian <bcej...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
CC| |bcej...@gmail.com
--- Comment #25 from Brian <bcej...@gmail.com> ---
>From the comments above, the root cause of the issue is in the KDE Connect
Android app which bundles an obsolete version of a library, sshd-core 0.14.0,
which in turn offers only one insecure signature algorithm -- "ssh-rsa". Many
desktop environments depend on OpenSSH, which has (2 years ago) since dropped
default support for "ssh-rsa" -- thus, desktop apps (like KDEConnect-Desktop
and GSConnect) will fail to establish SSH/SFTP sessions with KDE Connect
Android.
The current workaround has been to quietly enable the use of "ssh-rsa" in the
KDE Connect Desktop app:
https://invent.kde.org/network/kdeconnect-kde/commit/204207f2e66e87e7696ff1c98d70ce41b3e2d396
But this is problematic:
* It obviously enables a known insecure algorithm, as mentioned earlier.
Personally, I don't consider this a huge deal, given the tradeoff is to greatly
increase user-coverage, for the meantime till ssh-rsa recedes into history. The
real problem is ...
* There seem to be a few separate desktop apps which implement the KDEConnect
protocol, whereas there is only one KDEConnect Android app of note. **Not all
desktop apps will have the same easy control over SSH config as KDEConnect
Desktop**, thus they cannot enable "ssh-rsa" at will -- GSConnect, for
instance.
So this issue should ideally be fixed in KDEConnect Android, not just because
it is the source of the issue, but also because the alternative workaround is
not feasibly implementable in all desktop apps.
--
You are receiving this mail because:
You are watching all bug changes.
