jsch icon indicating copy to clipboard operation
jsch copied to clipboard

Published 20 hours ago verified publisher icon mwiede

Advice to securely connect to a 'special' remote host

Open mfernau opened this issue 4 months ago • 1 comments

At first please note that I'm not a crypto expert. I'm having trouble to understand the internals of ssh and its algorithms is use. However - I would like to understand it a bit deeper which is the reason why I'm asking the following question.

Until Version 0.1.57 of Jsch I was able to successfully connect to the remote host in question. With newer version I'm getting:

com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName="cipher.c2s" jschProposal="aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]" serverProposal="aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc"
	at com.jcraft.jsch.KeyExchange.guess(KeyExchange.java:157)
	at com.jcraft.jsch.Session.receive_kexinit(Session.java:614)
	at com.jcraft.jsch.Session.connect(Session.java:336)
	at tests.JSchTest.main(JSchTest.java:71)

If I modify my code to the following:

JSch jsch = new JSch();
Session session = jsch.getSession("USER", "HOST");
session.setPassword("PASS");
session.setConfig("cipher.c2s", "aes256-cbc");
session.setConfig("cipher.s2c", "aes256-cbc");
[...]

I'm able to connect to the server again. As far as I understand I (re)enable aes256-cbc as an allowed protocol. Is this the "best" I can do to connect to this server? Can I consider that CBC in general is an insecure encryption mode and thus was disabled by default? I would like to inform the operator of this SSH Server which seems to host a "GoAnywhere" system which itself seems not to be an outdated product so maybe he/she should be able to enable a more "modern" encryption protocol.

Please find full log of failed connection Jsch-0.2.17.log

mfernau avatar Mar 22 '24 12:03 mfernau

Hi @mfernau,

If you simply search around on Google I'm sure you can find guidance as to how secure various crypto algorithms are these days. But to summarize: we strive to keep JSch's default algorithms mostly inline with algorithms that the OpenSSH project does. So if the algorithm isn't enabled by default in JSch, then there is likely a reason for that.

Thanks, Jeremy

norrisjeremy avatar Mar 26 '24 18:03 norrisjeremy