You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "UmaShankar Avagadda (Jira)" <ji...@apache.org> on 2021/04/08 09:38:00 UTC
[jira] [Updated] (SSHD-1154) userauth_pubkey: unsupported public
key algorithm: rsa-sha2-512
[ https://issues.apache.org/jira/browse/SSHD-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
UmaShankar Avagadda updated SSHD-1154:
--------------------------------------
Description:
*Environment details:*
*Server OS* : CentOS release 6.9 (Final)
$ ssh -V
{code:java}
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
$ sshd -T
{code:java}
port 22
protocol 2
addressfamily any
listenaddress 0.0.0.0:22
listenaddress [::]:22
usepam yes
serverkeybits 1024
logingracetime 120
keyregenerationinterval 3600
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
permitrootlogin yes
ignorerhosts yes
ignoreuserknownhosts no
rhostsrsaauthentication no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
rsaauthentication yes
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication yes
gssapikeyexchange no
gssapicleanupcredentials yes
gssapistrictacceptorcheck yes
gssapistorecredentialsonrekey no
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
passwordauthentication yes
kbdinteractiveauthentication no
challengeresponseauthentication no
printmotd yes
printlastlog yes
x11forwarding yes
x11uselocalhost yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
permituserenvironment no
uselogin no
compression delayed
gatewayports no
showpatchlevel no
usedns yes
allowtcpforwarding yes
allowagentforwarding yes
useprivilegeseparation yes
kerberosusekuserok yes
pidfile /var/run/sshd.pid
xauthlocation /usr/bin/xauth
ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
macs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
banner none
authorizedkeysfile .ssh/authorized_keys
authorizedkeysfile2 .ssh/authorized_keys2
loglevel DEBUG
syslogfacility AUTHPRIV
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_dsa_key
acceptenv LANG
acceptenv LC_CTYPE
acceptenv LC_NUMERIC
acceptenv LC_TIME
acceptenv LC_COLLATE
acceptenv LC_MONETARY
acceptenv LC_MESSAGES
acceptenv LC_PAPER
acceptenv LC_NAME
acceptenv LC_ADDRESS
acceptenv LC_TELEPHONE
acceptenv LC_MEASUREMENT
acceptenv LC_IDENTIFICATION
acceptenv LC_ALL
acceptenv LANGUAGE
acceptenv XMODIFIERS
subsystem sftp /usr/libexec/openssh/sftp-server
maxstartups 10:30:100
permittunnel no
permitopen any{code}
sshd-common : 2.6.0
sshd-core : 2.6.0
I am using Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
I am trying to ssh my server(RHEL6) using APACHE-SSHD-2.6.0 using below code snippet.
{code:java}
String send = "HOST:" + host + " " + command;
InputStream inputStream = new ByteArrayInputStream(send.getBytes());
SshClient client = SshClient.setUpDefaultClient();
client.start();
ConnectFuture cf = client.connect(username, host, port);
try (ClientSession session = cf.verify().getSession();) {
session.addPublicKeyIdentity(loadKeypair(privateKey.getAbsolutePath()));
session.auth().verify(defaultTimeoutSeconds, TimeUnit.SECONDS);
{code}
This is working fine with RHEL8, Ubuntu14, Ubuntu16, Ubuntu18 but not working with RHEL6 and RHEL7, getting below exception.
*unsupported public key algorithm: rsa-sha2-512* in sshd log
{code:java}
Caused by: org.apache.sshd.common.SshException: No more authentication methods available
at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:126)
at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:56)
at com.zimbra.cs.rmgmt.RemoteManager.executeRemoteCommand(RemoteManager.java:170)
at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:147)
... 70 more
Caused by: org.apache.sshd.common.SshException: No more authentication methods available
at org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:342)
at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:277)
at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:224)
at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:502)
at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:428)
at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1463)
at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:388)
at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:358)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:335)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:332)
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
{code}
{code:java}
broken-relay2:# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from X.X.X.X port 55874
debug1: Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
debug1: no match: APACHE-SSHD-2.6.0
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user zimbra service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "zimbra"
debug1: PAM: setting PAM_RHOST to "mail.example.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user zimbra service ssh-connection method publickey
debug1: attempt 1 failures 0
userauth_pubkey: unsupported public key algorithm: rsa-sha2-512
Connection closed by X.X.X.X
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup{code}
I found 2 solutions.
*Solution 1:*
I upgraded ssh on RHEL6 , it's working fine now.
Before upgrade ssh version:
$ ssh -V
{code:java}
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
After upgrade ssh version:
$ ssh -V
{code:java}
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017{code}
*Solution 2:*
I changed the order of *SignatureFactoriesNameList*, it's working fine now.
Changed order of rsa-sha2-512, rsa-sha2-256, ssh-rsa
*Actual order:*
ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,*rsa-sha2-512,rsa-sha2-256,ssh-rsa*
*Changed order:*
ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,*ssh-rsa,rsa-sha2-512,rsa-sha2-256*
{code:java}
SshClient client = SshClient.setUpDefaultClient();
client.setSignatureFactoriesNameList("ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-rsa,rsa-sha2-512,rsa-sha2-256");
{code}
*Solution 1* is good but not acceptable in my case, we can't ask our customers to upgrade server/system packages to make compatible with Java SSH client.
Please let me know the *solution 2* is better approach or not, If not why and what are issues I am going to face it with this change.
was:
Environment details:
Server OS : CentOS release 6.9 (Final)
$ ssh -V
{code:java}
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
$ sshd -T
{code:java}
port 22
protocol 2
addressfamily any
listenaddress 0.0.0.0:22
listenaddress [::]:22
usepam yes
serverkeybits 1024
logingracetime 120
keyregenerationinterval 3600
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
permitrootlogin yes
ignorerhosts yes
ignoreuserknownhosts no
rhostsrsaauthentication no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
rsaauthentication yes
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication yes
gssapikeyexchange no
gssapicleanupcredentials yes
gssapistrictacceptorcheck yes
gssapistorecredentialsonrekey no
gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
passwordauthentication yes
kbdinteractiveauthentication no
challengeresponseauthentication no
printmotd yes
printlastlog yes
x11forwarding yes
x11uselocalhost yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
permituserenvironment no
uselogin no
compression delayed
gatewayports no
showpatchlevel no
usedns yes
allowtcpforwarding yes
allowagentforwarding yes
useprivilegeseparation yes
kerberosusekuserok yes
pidfile /var/run/sshd.pid
xauthlocation /usr/bin/xauth
ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
macs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
banner none
authorizedkeysfile .ssh/authorized_keys
authorizedkeysfile2 .ssh/authorized_keys2
loglevel DEBUG
syslogfacility AUTHPRIV
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_dsa_key
acceptenv LANG
acceptenv LC_CTYPE
acceptenv LC_NUMERIC
acceptenv LC_TIME
acceptenv LC_COLLATE
acceptenv LC_MONETARY
acceptenv LC_MESSAGES
acceptenv LC_PAPER
acceptenv LC_NAME
acceptenv LC_ADDRESS
acceptenv LC_TELEPHONE
acceptenv LC_MEASUREMENT
acceptenv LC_IDENTIFICATION
acceptenv LC_ALL
acceptenv LANGUAGE
acceptenv XMODIFIERS
subsystem sftp /usr/libexec/openssh/sftp-server
maxstartups 10:30:100
permittunnel no
permitopen any{code}
sshd-common : 2.6.0
sshd-core : 2.6.0
I am using Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
I am trying to ssh my server(RHEL6) using APACHE-SSHD-2.6.0 using below code snippet.
{code:java}
String send = "HOST:" + host + " " + command;
InputStream inputStream = new ByteArrayInputStream(send.getBytes());
SshClient client = SshClient.setUpDefaultClient();
client.start();
ConnectFuture cf = client.connect(username, host, port);
try (ClientSession session = cf.verify().getSession();) {
session.addPublicKeyIdentity(loadKeypair(privateKey.getAbsolutePath()));
session.auth().verify(defaultTimeoutSeconds, TimeUnit.SECONDS);
{code}
This is working fine with RHEL8, Ubuntu14, Ubuntu16, Ubuntu18 but not working with RHEL6 and RHEL7, getting below exception.
unsupported public key algorithm: rsa-sha2-512 in sshd log
{code:java}
Caused by: org.apache.sshd.common.SshException: No more authentication methods available
at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:126)
at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:56)
at com.zimbra.cs.rmgmt.RemoteManager.executeRemoteCommand(RemoteManager.java:170)
at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:147)
... 70 more
Caused by: org.apache.sshd.common.SshException: No more authentication methods available
at org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:342)
at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:277)
at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:224)
at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:502)
at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:428)
at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1463)
at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:388)
at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:358)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:335)
at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:332)
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
{code}
{code:java}
broken-relay2:# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from X.X.X.X port 55874
debug1: Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
debug1: no match: APACHE-SSHD-2.6.0
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user zimbra service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "zimbra"
debug1: PAM: setting PAM_RHOST to "mail.example.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user zimbra service ssh-connection method publickey
debug1: attempt 1 failures 0
userauth_pubkey: unsupported public key algorithm: rsa-sha2-512
Connection closed by X.X.X.X
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup{code}
I upgraded ssh on RHEL6 , it's working fine now.
Before upgrade ssh version:
$ ssh -V
{code:java}
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
After upgrade ssh version:
$ ssh -V
{code:java}
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017{code}
> userauth_pubkey: unsupported public key algorithm: rsa-sha2-512
> ---------------------------------------------------------------
>
> Key: SSHD-1154
> URL: https://issues.apache.org/jira/browse/SSHD-1154
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 2.6.0
> Reporter: UmaShankar Avagadda
> Priority: Major
>
> *Environment details:*
> *Server OS* : CentOS release 6.9 (Final)
> $ ssh -V
>
> {code:java}
> OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
>
> $ sshd -T
>
> {code:java}
> port 22
> protocol 2
> addressfamily any
> listenaddress 0.0.0.0:22
> listenaddress [::]:22
> usepam yes
> serverkeybits 1024
> logingracetime 120
> keyregenerationinterval 3600
> x11displayoffset 10
> maxauthtries 6
> maxsessions 10
> clientaliveinterval 0
> clientalivecountmax 3
> permitrootlogin yes
> ignorerhosts yes
> ignoreuserknownhosts no
> rhostsrsaauthentication no
> hostbasedauthentication no
> hostbasedusesnamefrompacketonly no
> rsaauthentication yes
> pubkeyauthentication yes
> kerberosauthentication no
> kerberosorlocalpasswd yes
> kerberosticketcleanup yes
> gssapiauthentication yes
> gssapikeyexchange no
> gssapicleanupcredentials yes
> gssapistrictacceptorcheck yes
> gssapistorecredentialsonrekey no
> gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-
> passwordauthentication yes
> kbdinteractiveauthentication no
> challengeresponseauthentication no
> printmotd yes
> printlastlog yes
> x11forwarding yes
> x11uselocalhost yes
> strictmodes yes
> tcpkeepalive yes
> permitemptypasswords no
> permituserenvironment no
> uselogin no
> compression delayed
> gatewayports no
> showpatchlevel no
> usedns yes
> allowtcpforwarding yes
> allowagentforwarding yes
> useprivilegeseparation yes
> kerberosusekuserok yes
> pidfile /var/run/sshd.pid
> xauthlocation /usr/bin/xauth
> ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> macs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> banner none
> authorizedkeysfile .ssh/authorized_keys
> authorizedkeysfile2 .ssh/authorized_keys2
> loglevel DEBUG
> syslogfacility AUTHPRIV
> hostkey /etc/ssh/ssh_host_rsa_key
> hostkey /etc/ssh/ssh_host_dsa_key
> acceptenv LANG
> acceptenv LC_CTYPE
> acceptenv LC_NUMERIC
> acceptenv LC_TIME
> acceptenv LC_COLLATE
> acceptenv LC_MONETARY
> acceptenv LC_MESSAGES
> acceptenv LC_PAPER
> acceptenv LC_NAME
> acceptenv LC_ADDRESS
> acceptenv LC_TELEPHONE
> acceptenv LC_MEASUREMENT
> acceptenv LC_IDENTIFICATION
> acceptenv LC_ALL
> acceptenv LANGUAGE
> acceptenv XMODIFIERS
> subsystem sftp /usr/libexec/openssh/sftp-server
> maxstartups 10:30:100
> permittunnel no
> permitopen any{code}
> sshd-common : 2.6.0
> sshd-core : 2.6.0
> I am using Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
> I am trying to ssh my server(RHEL6) using APACHE-SSHD-2.6.0 using below code snippet.
> {code:java}
> String send = "HOST:" + host + " " + command;
> InputStream inputStream = new ByteArrayInputStream(send.getBytes());
> SshClient client = SshClient.setUpDefaultClient();
> client.start();
> ConnectFuture cf = client.connect(username, host, port);
> try (ClientSession session = cf.verify().getSession();) {
> session.addPublicKeyIdentity(loadKeypair(privateKey.getAbsolutePath()));
> session.auth().verify(defaultTimeoutSeconds, TimeUnit.SECONDS);
> {code}
> This is working fine with RHEL8, Ubuntu14, Ubuntu16, Ubuntu18 but not working with RHEL6 and RHEL7, getting below exception.
> *unsupported public key algorithm: rsa-sha2-512* in sshd log
>
> {code:java}
> Caused by: org.apache.sshd.common.SshException: No more authentication methods available
> at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:126)
> at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39)
> at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32)
> at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:56)
> at com.zimbra.cs.rmgmt.RemoteManager.executeRemoteCommand(RemoteManager.java:170)
> at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:147)
> ... 70 more
> Caused by: org.apache.sshd.common.SshException: No more authentication methods available
> at org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:342)
> at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:277)
> at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:224)
> at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:502)
> at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:428)
> at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1463)
> at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:388)
> at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
> at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:358)
> at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:335)
> at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:332)
> at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
> at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
> at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
> at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
> at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
> at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
> at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
> at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> {code}
> {code:java}
> broken-relay2:# /usr/sbin/sshd -d
> debug1: sshd version OpenSSH_5.3p1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-d'
> Set /proc/self/oom_score_adj from 0 to -1000
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
> debug1: Server will not fork when running in debugging mode.
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from X.X.X.X port 55874
> debug1: Client protocol version 2.0; client software version APACHE-SSHD-2.6.0
> debug1: no match: APACHE-SSHD-2.6.0
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3
> debug1: permanently_set_uid: 74/74
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: client->server aes128-ctr hmac-sha2-256 none
> debug1: kex: server->client aes128-ctr hmac-sha2-256 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user zimbra service ssh-connection method none
> debug1: attempt 0 failures 0
> debug1: PAM: initializing for "zimbra"
> debug1: PAM: setting PAM_RHOST to "mail.example.com"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: userauth-request for user zimbra service ssh-connection method publickey
> debug1: attempt 1 failures 0
> userauth_pubkey: unsupported public key algorithm: rsa-sha2-512
> Connection closed by X.X.X.X
> debug1: do_cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup{code}
> I found 2 solutions.
> *Solution 1:*
> I upgraded ssh on RHEL6 , it's working fine now.
> Before upgrade ssh version:
> $ ssh -V
> {code:java}
> OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013{code}
> After upgrade ssh version:
> $ ssh -V
> {code:java}
> OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017{code}
> *Solution 2:*
> I changed the order of *SignatureFactoriesNameList*, it's working fine now.
> Changed order of rsa-sha2-512, rsa-sha2-256, ssh-rsa
> *Actual order:*
> ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,*rsa-sha2-512,rsa-sha2-256,ssh-rsa*
> *Changed order:*
> ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,*ssh-rsa,rsa-sha2-512,rsa-sha2-256*
>
> {code:java}
> SshClient client = SshClient.setUpDefaultClient();
> client.setSignatureFactoriesNameList("ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-rsa,rsa-sha2-512,rsa-sha2-256");
>
> {code}
> *Solution 1* is good but not acceptable in my case, we can't ask our customers to upgrade server/system packages to make compatible with Java SSH client.
> Please let me know the *solution 2* is better approach or not, If not why and what are issues I am going to face it with this change.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org