Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Advice to securely connect to a 'special' remote host #523

Open
mfernau opened this issue Mar 22, 2024 · 1 comment
Open

Advice to securely connect to a 'special' remote host #523

mfernau opened this issue Mar 22, 2024 · 1 comment

Comments

@mfernau
Copy link

mfernau commented Mar 22, 2024

At first please note that I'm not a crypto expert. I'm having trouble to understand the internals of ssh and its algorithms is use. However - I would like to understand it a bit deeper which is the reason why I'm asking the following question.

Until Version 0.1.57 of Jsch I was able to successfully connect to the remote host in question.
With newer version I'm getting:

com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName="cipher.c2s" jschProposal="aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com" serverProposal="aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc"
	at com.jcraft.jsch.KeyExchange.guess(KeyExchange.java:157)
	at com.jcraft.jsch.Session.receive_kexinit(Session.java:614)
	at com.jcraft.jsch.Session.connect(Session.java:336)
	at tests.JSchTest.main(JSchTest.java:71)

If I modify my code to the following:

JSch jsch = new JSch();
Session session = jsch.getSession("USER", "HOST");
session.setPassword("PASS");
session.setConfig("cipher.c2s", "aes256-cbc");
session.setConfig("cipher.s2c", "aes256-cbc");
[...]

I'm able to connect to the server again. As far as I understand I (re)enable aes256-cbc as an allowed protocol.
Is this the "best" I can do to connect to this server? Can I consider that CBC in general is an insecure encryption mode and thus was disabled by default?
I would like to inform the operator of this SSH Server which seems to host a "GoAnywhere" system which itself seems not to be an outdated product so maybe he/she should be able to enable a more "modern" encryption protocol.

Please find full log of failed connection
Jsch-0.2.17.log
@norrisjeremy
Copy link
Contributor

Hi @mfernau,

If you simply search around on Google I'm sure you can find guidance as to how secure various crypto algorithms are these days.
But to summarize: we strive to keep JSch's default algorithms mostly inline with algorithms that the OpenSSH project does.
So if the algorithm isn't enabled by default in JSch, then there is likely a reason for that.

Thanks,
Jeremy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mfernau @norrisjeremy