I'm using Apache sshd's ssh client. Whenever I establish a connection to the destination ssh server, I see this in the logs. The connection works, but is there something wrong? How can I fix it?
The exception looks like:
(SshException) to process: EdDSA provider not supported
How to fix
To fix the problem add a dependency net.i2p.crypto:eddsa. Bouncy castle does not provide the implementation of EdDSA. For example in maven add this dependency:
<dependency>
<groupId>net.i2p.crypto</groupId>
<artifactId>eddsa</artifactId>
<version>0.3.0</version>
</dependency>
Impact of not fixing
If you don't fix this, then you will not be able to validate the host keys. My testing was not impacted because I was not validating the host keys yet. However, once deployed to production, I would have been impacted because host keys must be validated.
Details
In the Apache mina-sshd source code, the class SecurityUtils reveals the problem. That class hardcodes the provider for EdDSA to EdDSASecurityProviderRegistrar :
public static final List<String> DEFAULT_SECURITY_PROVIDER_REGISTRARS = Collections.unmodifiableList(
Arrays.asList(
"org.apache.sshd.common.util.security.bouncycastle.BouncyCastleSecurityProviderRegistrar",
"org.apache.sshd.common.util.security.eddsa.EdDSASecurityProviderRegistrar"));
Looking through EdDSASecurityProviderRegistrar you see that it expects the class net.i2p.crypto.eddsa.EdDSAKey to exist:
@Override
public boolean isSupported() {
Boolean supported;
synchronized (supportHolder) {
supported = supportHolder.get();
if (supported != null) {
return supported.booleanValue();
}
ClassLoader cl = ThreadUtils.resolveDefaultClassLoader(getClass());
supported = ReflectionUtils.isClassAvailable(cl, "net.i2p.crypto.eddsa.EdDSAKey");
supportHolder.set(supported);
}
return supported.booleanValue();
}
A quick google search and you'll see that net.i2p.crypto.eddsa.EdDSAKey is provided by the library net.i2p.crypto:eddsa.