Closed austinarbor-wk closed 4 months ago
Hi @austinarbor-wk,
Yes, I suspect this server doesn't correctly support RSA/SHA-2 and it is failing when JSch attempts RSA/SHA-2 based authentication. So you either will want to remove the RSA/SHA-2 algorithms (rsa-sha2-512
& rsa-sha2-256
) from the PubkeyAcceptedAlgorithms
config setting, or make sure RSA/SHA-1 (ssh-rsa
) has a higher priority by appearing earlier in the comma delimited list for the PubkeyAcceptedAlgorithms
config setting.
Thanks, Jeremy
@norrisjeremy thanks for your quick response! We use a generalized "works-for-everyone" config and the same code is also used for servers which do support rsa-sha2-512
and rsa-sha2-256
and we don't know ahead of time what the server will support. Do you think moving ssh-rsa
ahead in the priority list will make those no longer work, or should it essentially be a no-op?
Hi @austinarbor-wk,
If the other types of servers you connect to support both RSA/SHA-2 and RSA/SHA-1, by prioritizing RSA/SHA-1 in the list, you will coercing JSch into performing insecure authentication with these servers (since RSA/SHA-1 is generally considered cryptographically insecure). Ultimately this will be a judgement call that only you can make, since only you better the nature of your application, the type servers you are connecting to, etc., and not us.
Thanks, Jeremy
@norrisjeremy thanks for the info, appreciate the quick responses!
confirming that moving ssh-rsa
in front of the other rsa algorithms resolved the exception
One of our users is getting the below logs when trying to connect to their sftp server. They are using a username, private key, and private key password. I've been racking my brain trying to reproduce and/or figure out what's causing this, but unfortunately have not had any luck yet. Do you have any ideas what could be causing this?
I've asked for the server-side logs but haven't been able to able to get them yet.
I saw in some other issues that putting
ssh-rsa
beforersa-sha2-512
andrsa-sha2-256
might be needed sometimes? Do you think that could be the case here?