Support ed25519 keys - Githubissues

gnomed commented 1 year ago

Using an ed25519 key for ssh connection on an SFTP data source produces an error dialog saying ssh-ed25519 is explicitly not supported. It's 2023 and support for ed25519 should be available in most libraries.

I'm not very familiar with JavaScript dependencies but surely something can be updated to support the current ssh standard?

deadlyjack commented 1 year ago

Support for SFTP is writen in Java check src/plugins/sftp. If you know java you can help me with that.

Thank you, Ajit Kumar

On Thu, Mar 30, 2023, 12:20 AM Brian Hughes @.***> wrote:

Using an ed25519 key for ssh connection on an SFTP data source produces an error dialog saying ssh-ed25519 is explicitly not supported. It's 2023 and support for ed25519 should be available in most libraries.

I'm not very familiar with JavaScript dependencies but surely something can be updated to support the current ssh standard?

— Reply to this email directly, view it on GitHub https://github.com/deadlyjack/Acode/issues/674, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJHIHI4XMWVMDXMK5NJNN33W6SAAZANCNFSM6AAAAAAWMI2OFU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

gnomed commented 1 year ago

I do know java, but I do not know android or cordova or yarn.

It looks like it is missing the recommended bouncycastle dependencies for the maverick ssh client which is the client used by the sftp plugin.

Adding the recommended dependency causes the "jettify" process to fail. There is supposed to be a workaround to exclude the jar from the jettify process but I could not figure out how to make it work in this repo which does not use gradle directly. So I needed to add a different version of the bouncycastle jars and exclude the broken version.

After doing this the process gets further but complains "Ed25519 KeyFactory is not available"

There is also another support article from maverick which mentions another jar is needed for ed25519 support, but its a weird snapshot jar and adding it does not seem to impact the behaviour of the ssh client, I get the same "Ed25519 KeyFactory is not available" message. I am not convinced this is necessary based on what I can read in the other codebases, but the page seemed fairly authoritative.

So at this point I am somewhat stuck unless I can find out where that error message is coming from. Unfortunately I could not figure out how to get the project to run via AndroidStudio so I could not use a debugger to trace the source of the error and I cannot find that error message in the source code for bouncycastle or maverick :frowning_face:.

I will describe my changes below since they are pretty simple, I could push a branch but it doesn't work anyway.

src/plugins/sftp/plugin.xml:

<framework src="commons-io:commons-io:2.11.0" />
<framework src="com.sshtools:maverick-synergy-client:3.0.10" />
<framework src="com.sshtools:maverick-bc:3.0.10" />
<framework src="org.bouncycastle:bcprov-jdk15to18:1.72" />
<framework src="org.bouncycastle:bcpkix-jdk15to18:1.72" />
<framework src="com.sshtools:maverick-ed25519:3.0.0-SNAPSHOT" />

src/plugins/sftp/src/.../Stfp.java (at the end of the initialize method):

JCEProvider.enableBouncyCastle(true);

build-extras.gradle:

repositories {
  maven {
    name "oss-snapshots"
    url "https://oss.sonatype.org/content/repositories/snapshots/"
    mavenContent {
        snapshotsOnly()
        includeModule("com.sshtools", "maverick-ed25519")
    }
  }
}
configurations {
  all {
      exclude module: 'commons-logging'
      exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on'
      exclude group: 'org.bouncycastle', module: 'bcpkix-jdk15on'
  }
}

gnomed commented 1 year ago

also I tried the bc-fips dependencies also recommended by the maverick docs, those were nice because they didn't break the jettify process, but it just hung forvever instead of producing the "KeyFactory not available" error, and again I was stuck without being able to get the AndroidStudio debugger working.

deadlyjack commented 1 year ago

Thanks for the try you gave... I'll try again with what you have explained in the mail.

Wait for the update and thank you for the idea.

Regards, Ajit Kumar

On Mon, Apr 3, 2023, 7:25 AM Brian Hughes @.***> wrote:

I do know java, but I do not know android or cordova or yarn.

It looks like it is missing the recommended bouncycastle dependencies for the maverick ssh client https://jadaptive.com/app/manpage/en/article/1570724 which is the client used by the sftp plugin.

Adding the recommended dependency causes the "jettify" process to fail. There is supposed to be a workaround to exclude the jar from the jettify process https://stackoverflow.com/a/69005474/27739 but I could not figure out how to make it work in this repo which does not use gradle directly. So I needed to add a different version of the bouncycastle jars and exclude the broken version.

After doing this the process gets further but complains "Ed25519 KeyFactory is not available"

There is also another support article from maverick which mentions another jar is needed for ed25519 support https://jadaptive.com/app/manpage/en/article/1569490, but its a weird snapshot jar and adding it does not seem to impact the behaviour of the ssh client, I get the same "Ed25519 KeyFactory is not available" message. I am not convinced this is necessary based on what I can read in the other codebases, but the page seemed fairly authoritative.

So at this point I am somewhat stuck unless I can find out where that error message is coming from. Unfortunately I could not figure out how to get the project to run via AndroidStudio so I could not use a debugger to trace the source of the error and I cannot find that error message in the source code for bouncycastle or maverick ☹️.

I will describe my changes below since they are pretty simple, I could push a branch but it doesn't work anyway.

src/plugins/sftp/plugin.xml:

src/plugins/sftp/src/.../Stfp.java (at the end of the initialize method):

JCEProvider.enableBouncyCastle(true);

build-extras.gradle:

repositories { maven { name "oss-snapshots" url "https://oss.sonatype.org/content/repositories/snapshots/" mavenContent { snapshotsOnly() includeModule("com.sshtools", "maverick-ed25519") } } } configurations { all { exclude module: 'commons-logging' exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on' exclude group: 'org.bouncycastle', module: 'bcpkix-jdk15on' } }

— Reply to this email directly, view it on GitHub https://github.com/deadlyjack/Acode/issues/674#issuecomment-1493527344, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJHIHI46O73RMOBHKCVUWCLW7IUYZANCNFSM6AAAAAAWMI2OFU . You are receiving this because you commented.Message ID: @.***>

gnomed commented 1 year ago

Thanks, if I get enough free time maybe I can set up a vanilla java test program to debug the behaviour; but I'm worried the differences between the android JRE and my local test will make the results meaningless.

Offerel commented 4 months ago

Is there any update? I don't want to enable RSA keys again on our SFTP hosts.

explor4268 commented 1 week ago

Try running adb logcat -T 1 (with platform-tools installed on $PATH) with the phone/emulator connected before pressing "OK" on the SFTP connect menu, it should outputs relevant error messages.

Currently I cannot build the app with @gnomed's setup. Can somebody test it? If so, post the logs down below.

I also have similar issues where it cannot connect to servers with only certain key exchange algorithms enabled, notably Curve25519 (#985)

Another alternative is to just switch from Maverick SSH Library to something else that doesn't involve adding BouncyCastle (or any other problematic dependencies)

One example is https://github.com/mwiede/jsch (JSCH fork, for ed25519 support Java 15+ is required if not add BouncyCastle, which in this case is a little bit broken and requires workaround)

Another example is Apache Mina SSHD (it supports SFTP) which uses ed25519-java library to support ed25519, but:

https://github.com/apache/mina-sshd/blob/master/docs/standards.md#key-exchange

On Java versions before Java 11, Bouncy Castle is required for curve25519-sha256, curve25519-sha256@libssh.org, or curve448-sha512.

Or just include a native library for the ssh/sftp implementation.

Also this article might be relevant, where the built-in Android BouncyCastle implementation of many algorithms were deprecated:

Related SO Answer: https://stackoverflow.com/a/66323575 Also found this when browsing SpongyCastle GitHub issues page, where you can customize BouncyCastle to workaround with built-in BC issues: https://github.com/jbuhacoff/nodejs-mybc-util

deadlyjack / Acode

Support ed25519 keys #674