derylspielman
commented
2 years ago Also here is a log of successful login via sftp command in Linux (the same server we're using the maverick library on).
Closed jamoros closed 2 years ago
derylspielman
commented
2 years ago Also here is a log of successful login via sftp command in Linux (the same server we're using the maverick library on).
derylspielman
commented
2 years ago Setting the preferred MAC to hmac-sha2-256 resolved the issue.
sshClientContext.setPreferredMacCS("hmac-sha2-256");
sshClientContext.setPreferredMacSC("hmac-sha2-256");However I feel like there must be a bug with Maverick considering that other SFTP clients can connect. Looking at sshClientContext.getPreferredMacCS() it defaults to hmac-sha256. This uses the same HmacSha256.class as hmac-sha2-256 however the default preferred method should be hmac-sha2-256. Is there a difference between hmac-sha256 and hmac-sha2-256 and should there be a separate hmac-sha2-256 implementation?
ludup
commented
2 years ago I was unaware that hmac-sha256 and hmac-sha512 were still being included. We removed them from our commercial API some time ago because they are not compliant, and there were too many inconsistencies between vendor implementations. They stem from when there was little support for SHA2 in ssh. I would advise that you disable the specific algorithm rather than set a hard preference. unless you are happy to always use hmac-sha2-256. You can disable it with a system property -Ddisable.hmac-sha256 at runtime. You will also want to disable hmac-sha512, hmac-sha256@ssh.com and hmac-sha512@ssh.com for the same reasons.
I'll be dropping support for these in our next updates.
derylspielman
commented
2 years ago @ludup I'm a bit confused from you telling me to remove it. I've disabled via -Ddisable.hmac-sha256 -Ddisable.hmac-sha256@ssh.com -Ddisable.hmac-sha512@ssh.com and also removed them via supportedMacsCS.remove(..) (and SC) and I still can't connect. Are you saying that the remote server uses hmac-sha2-256 and they should change the order of their algorithm?
jamoros
commented
2 years ago @derylspielman Alternatively, by looking the logs, one of the remote macs cs/sc is "hmac-m5", so the following works
sshClientContext.supportedMacsCS().add(SshContext.HMAC_MD5, HmacMD5.class);
sshClientContext.supportedMacsSC().add(SshContext.HMAC_MD5, HmacMD5.class);
sshClientContext.setPreferredMacCS(SshContext.HMAC_MD5);
sshClientContext.setPreferredMacSC(SshContext.HMAC_MD5);The logs also show "hmac-sha1" supported both on the server and default local, so for this specific server simply putting
sshClientContext.setPreferredMacCS(SshContext.HMAC_SHA1);
sshClientContext.setPreferredMacSC(SshContext.HMAC_SHA1);Will connect.
Its still weird that the error doesn't really tell me why this fails, when I see that keys/macs/ciphers are found (negotiated:) I assume that we're ok in that dept. The error was that the server returned -1 which had us searching all over to find the issue.
ludup
commented
2 years ago I have pushed a commit for this, removing the problematic non-compliant HMAC implementations
I attached both of the logs and its becoming a head scratcher. Is it a possibility the server is requesting a key that isnt supported in Maverick?
As per usual, your help is greatly appreciate.
MaverickLog.txt WinScpLog.txt
Thank you! -J