You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@mina.apache.org by "Mumtaz Husain (mumhusai)" <mu...@cisco.com.INVALID> on 2022/09/29 07:29:43 UTC

Apache SSHD support for rsa-sha2-256 and rsa-sha2-512

Hi everyone. I am new to apache sshd world and this is my first post so please pardon my naïve questions or if this issue has been addressed before. I tried doing a quick search in the mail archive and couldn't find the answers that I am looking for.


  *   We are using apache sshd 2.1.0 for our Java ssh client. The ssh client is trying to connect to ssh server used to support several signatures but now only supports rsa-sha2-256 and rsa-sha2-512. So the attempt by the java ssh client to connect to the ssh server fails with the error that the client does not support rsa-sha2-256 and rsa-sha2-512. Looking at apache sshd documentation it seems that support for these signatures was first introduced in sshd 2.3.0

[SSHD-895<https://issues.apache.org/jira/browse/SSHD-895>] - Add support for RSA + SHA-256/512 signatures

  *   I upgraded the sshd library to 2.3.0 (in pom.xml) and made no other changes and I saw the same error as before

2-Sep-2022 21:45:10,875 UTC ERROR [] [NetConfClient] (<thread-name>) || Failed to connect to device : <ip address> Port: 830 user : admin error : Connection failed


22-Sep-2022 21:45:10,952 UTC WARN  [] [AbstractLoggingBean] (sshd-SshClient[66e0f123]-nio2-thread-5) || exceptionCaught(ClientSessionImpl[admin@/<ip address>:830])[state=Opened] IllegalStateException: Unable to negotiate key exchange for server host key algorithms (client: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss / server: rsa-sha2-256,rsa-sha2-512)

  *   I went through https://github.com/apache/mina-sshd/blob/master/docs/changes/2.3.0.md and one of the recommendations was to do client.setSignatureFactories so I added the following code after SshClient client = SshClient.setUpDefaultClient();

   client.setSignatureFactories(
                Arrays.asList(
                BuiltinSignatures.nistp256,
                BuiltinSignatures.nistp384,
                BuiltinSignatures.nistp521,
                BuiltinSignatures.ed25519,
                BuiltinSignatures.rsaSHA512,
                BuiltinSignatures.rsaSHA256,
                BuiltinSignatures.rsa,
                BuiltinSignatures.dsa

             ));

            I didn’t get the original error anymore but now got this error

            22-Sep-2022 22:07:22,348 UTC ERROR [] [NetConfClient] ((<thread-name>)) || Failed to connect to device : <ip address> Port: 830 user : admin error : Connection failed
22-Sep-2022 22:07:22,465 UTC WARN  [] [AbstractLoggingBean] (sshd-SshClient[3b7c3ed3]-nio2-thread-2) || exceptionCaught(ClientSessionImpl[vmanage-admin@/<ip address>:830])[state=Opened] SshException: KeyExchange signature verification failed for key type=ssh-rsa


  *   I tried removing BuiltinSignatures.rsa from this list but that didn’t help.
  *   I am trying to figure out if there is any other API that I need to call to get this to work. Any suggestions to get this working will be highly appreciated.
  *   Also, is there any document on apache sshd website which describes what is the exact interaction that happens between an ssh client and server when the client is trying to connect to the server (what are all the steps that are performed).

Mumtaz