Cannot connect to old OpenSSH server since version 0.1.57

[ChristianCiach]

Hi,

we need to connect to a quite old sftp server running OpenSSH 5.3. This worked nicely with the original Jsch and also with this fork up to version 0.1.56. Unfortunately, it is broken with all versions since 0.1.57 up to the current version 0.1.62.

This is the debug log of a working connection using 0.1.56:

1: Connecting to CENSORED port 22
1: Connection established
1: Remote version string: SSH-2.0-OpenSSH_5.3
1: Local version string: SSH-2.0-JSCH-null
1: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
1: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
1: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
1: SSH_MSG_KEXINIT sent
1: SSH_MSG_KEXINIT received
1: kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
1: kex: server: ssh-rsa,ssh-dss
1: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
1: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
1: kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
1: kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
1: kex: server: none,zlib@openssh.com
1: kex: server: none,zlib@openssh.com
1: kex: server: 
1: kex: server: 
1: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
1: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
1: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
1: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
1: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
1: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
1: kex: client: none
1: kex: client: none
1: kex: client: 
1: kex: client: 
1: kex: server->client aes128-ctr hmac-md5 none
1: kex: client->server aes128-ctr hmac-md5 none
1: SSH_MSG_KEXDH_INIT sent
1: expecting SSH_MSG_KEXDH_REPLY
1: ssh_rsa_verify: signature true
2: Permanently added 'CENSORED' (RSA) to the list of known hosts.
1: SSH_MSG_NEWKEYS sent
1: SSH_MSG_NEWKEYS received
1: SSH_MSG_SERVICE_REQUEST sent
1: SSH_MSG_SERVICE_ACCEPT received
1: Authentications that can continue: publickey
1: Next authentication method: publickey
1: Authentication succeeded (publickey).

This is a debug log of version 0.1.57 where the connection is broken:

1: Connecting to CENSORED port 22
1: Connection established
1: Remote version string: SSH-2.0-OpenSSH_5.3
1: Local version string: SSH-2.0-JSCH-null
1: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
1: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
1: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
1: SSH_MSG_KEXINIT sent
1: SSH_MSG_KEXINIT received
1: kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
1: kex: server: ssh-rsa,ssh-dss
1: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
1: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
1: kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
1: kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
1: kex: server: none,zlib@openssh.com
1: kex: server: none,zlib@openssh.com
1: kex: server: 
1: kex: server: 
1: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
1: kex: client: rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
1: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
1: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
1: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
1: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
1: kex: client: none
1: kex: client: none
1: kex: client: 
1: kex: client: 
1: kex: server->client aes128-ctr hmac-md5 none
1: kex: client->server aes128-ctr hmac-md5 none
1: SSH_MSG_KEXDH_INIT sent
1: expecting SSH_MSG_KEXDH_REPLY
1: ssh_rsa_verify: signature true
2: Permanently added 'CENSORED' (RSA) to the list of known hosts.
1: SSH_MSG_NEWKEYS sent
1: SSH_MSG_NEWKEYS received
1: SSH_MSG_SERVICE_REQUEST sent
1: SSH_MSG_SERVICE_ACCEPT received
1: Authentications that can continue: publickey
1: Next authentication method: publickey
1: Disconnecting from CENSORED port 22
Exception in thread "main" com.jcraft.jsch.JSchException: SSH_MSG_DISCONNECT: 2 Too many authentication failures for anb0230 
	at com.jcraft.jsch.Session.read(Session.java:1010)
	at com.jcraft.jsch.UserAuthPublicKey.start(UserAuthPublicKey.java:125)
	at com.jcraft.jsch.Session.connect(Session.java:473)
	at com.jcraft.jsch.Session.connect(Session.java:186)
	at de.mycompany.test.Application.main(Application.java:37)

As you can see, only one line is different:

1: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

vs

1: kex: client: rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

Surprisingly, setting this in my code does not fix the issue, even though it makes the log look identical (except for the disconnect and the exception at the end):

    session.setConfig("server_host_key", "ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521");	

Instead, I am able to workaround the issue by setting this:

    session.setConfig("PubkeyAcceptedKeyTypes", "ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521");

This change moves ssh-rsa to the front of the value, compared to the default config.

But I really do not want to do that, for multiple reasons:

• I barely understand what I am doing here.
• I believe this library is supposed to be a "drop in " replacement for the original Jsch, so I expect those low-level-thingies to just work like before. The original Jsch library didn't even have the config option PubkeyAcceptedKeyTypes.

I can't find any documentation for PubkeyAcceptedKeyTypes. I just found out about this by reading this commit: 045799e

Again, this worked with the original version of Jsch and broke with a minor version update. Also, the remote server uses a completely normal (but rather old) OpenSSH version without exotic settings. These are the reasons why I believe this to be a bug in this library.

[ChristianCiach]

This is the debug log where the connection is broken using the current version 0.1.62:

1: Connecting to CENSORED port 22
1: Connection established
1: Remote version string: SSH-2.0-OpenSSH_5.3
1: Local version string: SSH-2.0-JSCH-null
1: CheckCiphers: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
1: chacha20-poly1305@openssh.com is not available.
0: cipher.c2s proposal before removing unavailable algos is: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
0: cipher.s2c proposal before removing unavailable algos is: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
0: cipher.c2s proposal after removing unavailable algos is: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
0: cipher.s2c proposal after removing unavailable algos is: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
1: CheckMacs: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
1: CheckKexes: curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
1: curve25519-sha256 is not available.
1: curve25519-sha256@libssh.org is not available.
1: curve448-sha512 is not available.
0: kex proposal before removing unavailable algos is: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
0: kex proposal after removing unavailable algos is: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
1: CheckSignatures: rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-ed448
1: ssh-ed25519 is not available.
1: ssh-ed448 is not available.
0: server_host_key proposal before removing unavailable algos is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0: server_host_key proposal after removing unavailable algos is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0: server_host_key proposal before known_host reordering is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
0: server_host_key proposal after known_host reordering is: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1: SSH_MSG_KEXINIT sent
1: SSH_MSG_KEXINIT received
1: kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
1: kex: server: ssh-rsa,ssh-dss
1: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
1: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
1: kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
1: kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
1: kex: server: none,zlib@openssh.com
1: kex: server: none,zlib@openssh.com
1: kex: server: 
1: kex: server: 
1: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
1: kex: client: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
1: kex: client: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
1: kex: client: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
1: kex: client: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
1: kex: client: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
1: kex: client: none
1: kex: client: none
1: kex: client: 
1: kex: client: 
1: kex: algorithm: diffie-hellman-group-exchange-sha256
1: kex: host key algorithm: ssh-rsa
1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
1: SSH_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
1: expecting SSH_MSG_KEX_DH_GEX_GROUP
1: SSH_MSG_KEX_DH_GEX_INIT sent
1: expecting SSH_MSG_KEX_DH_GEX_REPLY
1: ssh_rsa_verify: ssh-rsa signature true
2: Permanently added 'CENSORED' (RSA) to the list of known hosts.
1: SSH_MSG_NEWKEYS sent
1: SSH_MSG_NEWKEYS received
1: SSH_MSG_SERVICE_REQUEST sent
1: SSH_MSG_SERVICE_ACCEPT received
1: Authentications that can continue: publickey
1: Next authentication method: publickey
1: Disconnecting from CENSORED port 22
Exception in thread "main" com.jcraft.jsch.JSchException: SSH_MSG_DISCONNECT: 2 Too many authentication failures for anb0230 
	at com.jcraft.jsch.Session.read(Session.java:1247)
	at com.jcraft.jsch.UserAuthPublicKey.start(UserAuthPublicKey.java:143)
	at com.jcraft.jsch.Session.connect(Session.java:474)
	at com.jcraft.jsch.Session.connect(Session.java:187)
	at de.mycompany.test.Application.main(Application.java:

The issue can still be workarounded by modifying the PubkeyAcceptedKeyTypes option.

[norrisjeremy]

The server_host_key setting controls what key type is negotiated for the server's public key, while PubkeyAcceptedKeyTypes controls what key types are used for the client's public key. It is modeled after the same option in OpenSSH (which has since been renamed as PubkeyAcceptedAlgorithms in OpenSSH 8.5+).

What type of SSH key are you attempting to use for authentication? Also, do you know what the setting of MaxAuthTries is on the OpenSSH server you are attempting to connect with?

My suspicion as to what is happening is that the OpenSSH 5.3 server you are attempting to connect with has MaxAuthTries configured to a small value (2 or less). Combined with the fact that the default PubkeyAcceptedKeyTypes attempts to use the RSA SHA-2 signature types (rsa-sha2-256 & rsa-sha2-512) before the legacy RSA SHA-1 signature type (ssh-rsa), this causes authentication to fail. This is due to the fact that the client signature type is not actually negotiated in the SSH protocol: the client simply has to brute force attempt each one in succession until it succeeds, or the server rejects the connection for Too many authentication failures. And since RSA SHA-2 signature types weren't introduced until OpenSSH 7.2, JSch is attempting to use first rsa-sha2-512 (which fails), then rsa-sha2-256 (which fails), and before it can try ssh-rsa (which would succeed), the server terminates the session because of it's MaxAuthTries setting.

On a side note, all of the default crypto settings in this JSch fork were changed to align similarly to what is used in modern versions of OpenSSH, so that this JSch fork would only utilize secure crypto algorithms by default (skipping crypto algorithms generally accepted as no longer being secure). This has the unfortunate side effect in that attempting to connect to old servers will likely require some amount of custom tweaking of the various crypto algorithms (similar to what you have discovered with the PubkeyAcceptedKeyTypes option), since they frequently only support the older "unsecure" algorithms.

[ChristianCiach]

Thank you for your quick reply!

Unfortunately, the remote server is not under our control and I don't know its specific configuration. All I can say is that this server is part of a critical infrastructure and accessed by many corporations for critical "stuff", so I don't expect that someone will touch the configuration of the server in the foreseeable future.

What you say makes a lot of sense. But still, the sftp CLI tool of OpenSSH (version OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017) can connect to this server just fine.

I just found out that Jsch parses the content of the ~/.ssh/config, so I can probably work around this issue with this file without touching our client application. That being said, I still would prefer to not have to do that...

What type of SSH key are you attempting to use for authentication?

I don't know what exactly you are asking for, but the private key header looks like this:

-----BEGIN RSA PRIVATE KEY-----

And the public key begins with ssh-rsa.

[norrisjeremy]

FYI, the reason the sftp utility from OpenSSH_7.4p1 still works is because OpenSSH 7.4 still attempts to use RSA SHA-1 signature types (ssh-rsa) before attempting the RSA SHA-2 signature types (rsa-sha2-256 & rsa-sha2-512).

It wasn't until OpenSSH 7.8 in which the RSA SHA-2 signature types (rsa-sha2-256 & rsa-sha2-512) started being preferred before RSA SHA-1 signature type (ssh-rsa). See the note about the change of semantics of the PubkeyAcceptedKeyTypes option in the OpenSSH 7.8 release notes.

I'm reasonably certain that if you attempted to use the sftp utility from OpenSSH 7.8+ against your server, you would discover that that it too fails by default, unless the PubkeyAcceptedKeyTypes setting in .ssh/config was tweaked.

[ChristianCiach]

Just to correct myself: The file ~/.ssh/config is not automatically parsed by JSch. JSch doesn't automatically uses any files under ~/.ssh. These files are loaded by our client application. If I want to parse the OpenSSH config files, I need to use the class com.jcraft.jsch.OpenSSHConfig.

[ChristianCiach]

I'm reasonably certain that if you attempted to use the sftp utility from OpenSSH 7.8+ against your server, you would discover that that it too fails by default, unless the PubkeyAcceptedKeyTypes setting in .ssh/config was tweaked.

You're probably right about that und you make a really strong point for why this is actually not a bug in this JSch fork. I am not really happy with the workarounds, but these workarounds seem to become necessary in the near future anyway.

So, shall we close this issue? :)

[norrisjeremy]

Yes, I am mulling over ways in which we can improve the behavior of this JSch fork to better help users in situations similar to yours (you aren't the first user to report similar types of problems). I'm just not sure what we can do to help make scenarios like yours work out-of-the-box, whilst still enforcing some amount of integrity in having the crypto algorithm defaults avoid using the "unsecure" algorithms.

[ChristianCiach]

This is due to the fact that the client signature type is not actually negotiated in the SSH protocol

If this is true, I don't have any ideas for more elegant solutions, either.

[norrisjeremy]

This is due to the fact that the client signature type is not actually negotiated in the SSH protocol

If this is true, I don't have any ideas for more elegant solutions, either.

FYI, there is an extension, named server-sig-algs from RFC-8308, that is supposed to help a bit in situations like this, in that it allows the server to announce to the client what signature algorithms it supports for the client key. However, it is wrapped up as part of the overall ext-info-s / ext-info-c of RFC-8308, which JSch doesn't yet support. Also, even if JSch supported it, it wouldn't actually help in your case, because it wasn't introduced into OpenSSH until 7.2, so your 5.3 server wouldn't support it :(.

[ChristianCiach]

I will close this issue now. There is no need to clutter the issue list with an issue with no possible solution :)

Thanks again!