Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to read the Jsch log files #103

Closed
uffeweil opened this issue Dec 14, 2021 · 10 comments
Closed

How to read the Jsch log files #103

uffeweil opened this issue Dec 14, 2021 · 10 comments

Comments

@uffeweil
Copy link

Hi!
As some of the algorithms has been removed in newer versions of Jsch some of our customers have been reporting troubles in connecting to their servers when upgrading our product (DbVisualizer including upgraded Jsch)

I have seen the system properties (e.g. jsch.kex) that exists to be able to restore old connection capabilities.
Though I have not found any information in how to interpret the logs.
I.e to be able to instruct our users to set the appropriate properties (or set values in the ssh config file)

The specific case I'm struggling with now is a user running Java 11.0.11 and is getting
com.jcraft.jsch.JSchException: Algorithm negotiation fail
I have attached the log for reference.

LogJschSetup.txt

Any help would be highly appreciated

Regards Ulf

@mwiede
Copy link
Owner

mwiede commented Dec 15, 2021

Hi @uffeweil
in your log I see entries +diffie-hellman-group1-sha1 and +ssh-dss, but Jsch does not implement the + and - like openssh does. That is why the kex guessing fails, because it does not find an algorithm name match including +.

Is this coming from an openssh config file? We should be able to implement this in com.jcraft.jsch.OpenSSHConfig.

You can try programmatically with JSch.setConfig("kex", "diffie-hellman-group-exchange-sha1"); or by config of system properties java ... -Djsch.kex=diffie-hellman-group-exchange-sha1. Compare with #37 and #40.

Kind regards
Matthias

@uffeweil
Copy link
Author

Hi Matthias,
Thanks for the answer.

I will ask our user about this and ask our user to add -Djsch.kex=diffie-hellman-group-exchange-sha1 to the start of DbVisualizer.

Kind regards
Ulf

@uffeweil
Copy link
Author

Hi @mwiede,

Our user just came back. -Djsch.kex=diffie-hellman-group-exchange-sha1 seem not to have helped.

Kind Regards
Ulf

@mwiede
Copy link
Owner

mwiede commented Dec 21, 2021

Hi @uffeweil
sorry, I think I gave wrong advice.

The meaning of the log file lines with kex: server is what the server is offering as list of algorithms for key exchange.
That means, if you set one algorithm via config, you replace the whole list of algorithms, which the client offers.
But as I just checked, diffie-hellman-group-exchange-sha1 is not offered by the server, so there is no matching algorithm between client and server.
Please set jsch.kex to one of the offered algorithms, ie. diffie-hellman-group14-sha256, then it should work.

Best
Matthias

@norrisjeremy
Copy link
Contributor

@mwiede I wonder if we should expand the capabilities of the system properties to support similar syntax as you added for the OpenSSH config? That way users could append (+), prepend (^) or remove (-) algorithms via system properties?

@mwiede
Copy link
Owner

mwiede commented Dec 21, 2021

@norrisjeremy of course we could do that 😄. On the other hand, the goal of most users should be, that they do not have to configure anything other than public key file and so on. So it should still be an exception, that users need to overwrite the default config, because of their legacy servers.

So I am asking myself, whether it makes sense to invest some time on a wiki page, which shows, how to handle Jsch configuration and recommends how to do it. From my point of view, this should be something like

  1. use openssh .ssh/config file
  2. config programmatically
  3. java system properties
  4. ... or even environment variables? (not implemented yet)

@norrisjeremy
Copy link
Contributor

Yes, setting up a Wiki page would be a great idea.

I'm also wondering if we could improve the Algorithm negotiation fail exception thrown, to better detail to the user what the differences were between the client & server's offered algorithms? That may help make it easier for users to identify what failed with their legacy server, without having to enable logging in JSch or trying to manually figure out what algorithms their server offers using ssh -vvv.

@uffeweil
Copy link
Author

uffeweil commented Dec 21, 2021

Hi!

Thanks Mathias for the new advice. My two cents regarding the configuration options as that Id recommend our users to configure this on host level (config file) and not for the complete VM (system props).
This as I would reason to accept less secure algorithms on some limited (known) servers.

An exception with more details would be great. Wiki also.

Thanks for all your help on this!

Kind regards
Ulf

@rogerbj
Copy link

rogerbj commented Jun 14, 2022

I am with Ulf and am trying to figure out how to interpret the following:

JSch: INFO: SSH_MSG_SERVICE_ACCEPT received
JSch: INFO: Authentications that can continue: publickey,keyboard-interactive,password
JSch: INFO: Next authentication method: publickey
JSch: DEBUG: PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
JSch: DEBUG: PubkeyAcceptedAlgorithms in server-sig-algs = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256, ssh-rsa]
JSch: DEBUG: rsa-sha2-512 preauth failure
JSch: DEBUG: rsa-sha2-256 preauth failure
JSch: DEBUG: ssh-rsa preauth failure
JSch: DEBUG: ssh-rsa-cert-v01@openssh.com cannot be used as public key type for identity xxx@xxx.com
JSch: DEBUG: ssh-rsa-cert-v01@openssh.com cannot be used as public key type for identity xxx@xxx.com
JSch: DEBUG: ssh-rsa-cert-v01@openssh.com cannot be used as public key type for identity xxx@xxx.com
JSch: INFO: Authentications that can continue: keyboard-interactive,password
JSch: INFO: Next authentication method: keyboard-interactive
JSch: INFO: Disconnecting from xxx.net port 22
com.jcraft.jsch.JSchException: Auth fail
	at com.jcraft.jsch.Session.connect(Session.java:524)
	at com.jcraft.jsch.Session.connect(Session.java:185)
        ...

Have tried both Java 11 and 17 with the same result. Any ideas?

Best Regards

Roger

@vyu-talend
Copy link

Hello, I just upgraded the Jsch version from 0.1.xx to 0.2.xx. And I met the same issues, after comparing the two versions' logs, I found that many algorithms had been turning to deprecated. So I just added those deprecated algorithms to the configuration as the migration.
Like this:
com.jcraft.jsch.JSch.setConfig("kex","ecdh-sha2-nistp256......");
To make sure it helps, I added all of those parameters:

Hopefully, this will help.

@mwiede mwiede closed this as completed Mar 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants