-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing KexAlgorithms +diffie-hellman-group1-sha1 #37
Comments
I don't know, whether I got your question right. You could use openssh config file, and you can try:
so whatever is configured there, should be used for the session to connect. Hardcoded would be:
|
what I am using with success:
// Add back the old diffie-hellman-group1-sh1 support for old
// dropbear nodes.
String kex_str = session.getConfig( "kex" );
kex_str = "diffie-hellman-group1-sha1," + kex_str;
session.setConfig( "kex", kex_str );
|
On 3/24/21 1:42 PM, Matthias Wiedemann wrote:
Hardcoded would be:
|Session session = Jsch.getSession(username, host) session.setConfig("kex", "diffie-hellman-group1-sha1"); |
Matthias,
You da man!
|
Matthias, (That for loop is ugly, even when I single step it with IntelliJ it is not clear. I would have used Strings not byte array segments, and it is not commented. Strings are being created for the equals(), it would have been better to create them earlier so a debugger could see them. ) Something else got broken when the "diffie-hellman-group1-sha1" algorithm got removed from the original code, and I simply must have this working, even if I have to switch back to the sschlib AGAIN. |
I tested the following: I took a very old dropbear server Trying to connect with local openssh: it works. now with this jsch fork: final String kex= "diffie-hellman-group1-sha1";
final JSch ssh = new JSch();
final Session session = ssh.getSession("test", "localhost", 22001);
session.setPassword("test");
session.setConfig("StrictHostKeyChecking", "no");
session.setConfig("kex", kex);
session.connect();
System.out.println(session.isConnected());
session.disconnect(); Log:
With more recent versions of dropbear it does not work, it only supports |
Thank you Matthias for that time. |
Would you be able to capture internal logging output from JSch? |
I debugged a connection to dropbear 0.50 So it cannot find a matching one. What you can do is, allowing session.setConfig("cipher.c2s","aes128-cbc");
session.setConfig("cipher.s2c","aes128-cbc"); into your code. I agree that the original code is hard to handle and the error is not leading to the error detail. |
Thanks Matthias. Question: since I have to simultaneously support ssh connections to both drop bear 0.5 and modern open-ssh-server on debian bulls-eye, and do so without knowing in advance what type of box it is, I need something which is additive to the configuration, not a replacement of the configuration. Otherwise I might end up being able to talk to only dropbear 0.50 and not also open-ssh-server. Can this preparation be done additively some how? session.setConfig("cipher.c2s","aes128-cbc"); |
"I agree that the original code is hard to handle and the error is not leading to the error detail." Yes, it is a total mess. This is not performance critical code, since it only executes once in a session. I would: a) use strings not byte array segments, and b) separate each match goal into its own loop, so it is clear what the goal is in any match loop, with comments. I used StringTokenizer to separate on commas, but then learned that for back to back commas or back to back string separators in general, StringTokenizer does not return a blank string. It eats back to back separators, so this has to be scrutinized anew. |
What about
|
session.setConfig("cipher.c2s","aes128-cbc");
session.setConfig("cipher.s2c","aes128-cbc");
That should work. Thank you very much Matthias. I will try this in the next several days.
Dick
|
session.setConfig("cipher.c2s", session.getConfig("cipher.c2s") + ",aes128-cbc"); I tried it and it works. So I plan on distributing with your library. I hope some movement can be made on adding support for IPv6 in the next year? Dick |
Closing issue as problem can be solved by configuration. |
I am getting the below error while connecting to other server using JSch, This Jenkins job started failing all of sudden due to the below error, ----------Error------------------ |
I have a Java project which uses the jsch classes. I tried your repo, but had to switch back to sschlib because it supported this:
KexAlgorithms +diffie-hellman-group1-sha1
requirement in my thousands of remote nodes running older dropbear all over the world. They are not upgradeable. I tried unsuccessfully to add support for that KexAlgorithm back into your library. So the path of least resistance was to switch back to something that works: sschlib. It is not an option to upgrade these little servers.
I can connect to these boxes fine using command line ssh on modern linux if I add the above statement to file: ~/.ssh/config.
Is there a simple trick to support this when creating the JSch class instance by modifying the config records without modifying the library source? Nothing I tried along that pathway worked after a full day of trying.
The text was updated successfully, but these errors were encountered: