Source From Here
Question
We have one of our Windows server setup as sFTP server using Cygwin and OpenSSH and the java based client application was using Jsch library to communicate with the sFTP server. Recently, we upgraded the Cygwin and since then our client application started getting connection errors:
I enabled debug and the debug log is:
It is clearly evident from the logs that there is no common Kex algorithm between server and client and thats the reason for the failure.
Server Kex Algorithms
Client Kex Algorithms
But it was working earlier and there is no change in the client side code. So, we had a look at the Cygwin installation again and found that the older version of Cygwin was installed with OpenSSH 5.1 and the new version is with OpenSSH 6.7 - The Server support team upgraded the OpenSSH version along with Cygwin upgrade. There was no explicit KexAlgorithms configuration in sshd_config file and hence OpenSSH was taking the default list of KexAlgorithms.
Default KexAlgorithms for OpenSSH 5.1
Default KexAlgorithms for OpenSSH 6.7
The algorithms supported by client (diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1) are not part of the OpenSSH 6.7 default list any more.
Solution
Adding diffie-hellman-group1-sha1 and/or diffie-hellman-group-exchange-sha1 to OpenSSH 6.7 KexAlgorithms list would solve the issue. Follow the below steps:
1. Open /etc/sshd_config
2. Add the following at the end of the file
3. Save the file and restart the sshd service.
I added diffie-hellman-group1-sha1, but you can add either one or add all the algorithms supported by client. This config will override the default list, So, if you want your algorithm along with default list, then you can put the default list as well, as given below:
Question
We have one of our Windows server setup as sFTP server using Cygwin and OpenSSH and the java based client application was using Jsch library to communicate with the sFTP server. Recently, we upgraded the Cygwin and since then our client application started getting connection errors:
I enabled debug and the debug log is:
- Remote version string: SSH-2.0-OpenSSH_6.7
- Local version string: SSH-2.0-JSCH-0.1.51
- CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
- aes256-cbc is not available.
- aes192-cbc is not available.
- CheckKexes: diffie-hellman-group14-sha1
- diffie-hellman-group14-sha1 is not available.
- SSH_MSG_KEXINIT sent
- SSH_MSG_KEXINIT received
- kex: server: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
- kex: server: ssh-rsa,ssh-dss
- kex: server: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
- kex: server: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
- kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
- kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
- kex: server: none,zlib@openssh.com
- kex: server: none,zlib@openssh.com
- kex: server:
- kex: server:
- kex: client: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
- kex: client: ssh-rsa,ssh-dss
- kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
- kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
- kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
- kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
- kex: client: none
- kex: client: none
- kex: client:
- kex: client:
- Disconnecting from 10.30.194.91 port 22
- com.jcraft.jsch.JSchException: Algorithm negotiation fail
- at com.jcraft.jsch.Session.receive_kexinit(Session.java:583)
- at com.jcraft.jsch.Session.connect(Session.java:320)
- at com.jcraft.jsch.Session.connect(Session.java:183)
- at org.pfl.sftp.JschWrapper.transferFile(JschWrapper.java:36)
Server Kex Algorithms
Client Kex Algorithms
But it was working earlier and there is no change in the client side code. So, we had a look at the Cygwin installation again and found that the older version of Cygwin was installed with OpenSSH 5.1 and the new version is with OpenSSH 6.7 - The Server support team upgraded the OpenSSH version along with Cygwin upgrade. There was no explicit KexAlgorithms configuration in sshd_config file and hence OpenSSH was taking the default list of KexAlgorithms.
Default KexAlgorithms for OpenSSH 5.1
Default KexAlgorithms for OpenSSH 6.7
The algorithms supported by client (diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1) are not part of the OpenSSH 6.7 default list any more.
Solution
Adding diffie-hellman-group1-sha1 and/or diffie-hellman-group-exchange-sha1 to OpenSSH 6.7 KexAlgorithms list would solve the issue. Follow the below steps:
1. Open /etc/sshd_config
2. Add the following at the end of the file
- KexAlgorithms diffie-hellman-group1-sha1
I added diffie-hellman-group1-sha1, but you can add either one or add all the algorithms supported by client. This config will override the default list, So, if you want your algorithm along with default list, then you can put the default list as well, as given below:
- KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
沒有留言:
張貼留言