IG FTP cannot connect to SFTP with ssh-rsa or ssh-dss as host key or client public key
search cancel

IG FTP cannot connect to SFTP with ssh-rsa or ssh-dss as host key or client public key

book

Article ID: 278025

calendar_today

Updated On:

Products

CA Automic One Automation CA Automic Workload Automation - Automation Engine Automic SaaS

Issue/Introduction

The new Integration FTP Agent (IG FTP) cannot connect to a SFTP server where the Server Host Key has been generated with RSA as host key algorithm.

The error in the Job Log is:

Connection attempt failed: Algorithm negotiation fail: algorithmName="server_host_key" jschProposal="rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521" serverProposal="ssh-rsa,ssh-dss"

Environment

Component: Integration FTP Agent

Version: 21.0.9 and superior

Cause

By default, ssh-rsa and ssh-dss are not enabled in the Integration FTP Agent as they were considered as insecure in since versions Openssh version 8.8 and superior.

This is explained here:

Why do ssh-rsa type keys not work with this JSch fork and my server?

  • As of the 0.2.0 release, the RSA/SHA1 signature algorithm is disabled by default.
    • SHA1 is no longer considered secure by the general cryptographic community and this JSch fork strives to maintain secure choices for default algorithms that it will utilize.
    • This also follows the lead of the OpenSSH project in which they disabled RSA/SHA1 signatures by default as of OpenSSH release 8.8.
  • ssh-rsa type keys continue to function by default with the RSA/SHA256 (rsa-sha2-256) & RSA/SHA512 (rsa-sha2-512) signature algorithms defined by RFC 8332.

Resolution

In order to enable in the new Integration FTP (IG_FTP) agent the old insecure host and public key algorithms and ciphers, you will need to modify the startup command in the service manager configuration file to the following:

java -Djsch.server_host_key=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss -Djsch.client_pubkey=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss -Djsch.cipher=blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-ctr,aes128-ctr,aes192-ctr,aes256-ctc,arcfour,arcfour128,arcfour256 -jar ucxjftp.jar

You can check this post in the community where all the different parameters are explained in much more detail (all credits to Eric Lontz). Please note that a maximum of 512 characters can be used when starting the Agent via the Service Manager, so you may have to remove some of the different values so that it fits.

Other jsch startup options could include:

-Djsch.kex=
-Djsch.mac=

Additional Information

See more information about the consideration of ssh-rsa as insecure in latest versions of Openssh here:

https://www.endpointdev.com/blog/2023/04/ssh-host-key/