IG FTP cannot connect to SFTP with ssh-rsa or ssh-dss as host key or client public key
search cancel

IG FTP cannot connect to SFTP with ssh-rsa or ssh-dss as host key or client public key

book

Article ID: 278025

calendar_today

Updated On:

Products

CA Automic One Automation

Issue/Introduction

The new Integration FTP Agent (IG FTP) cannot connect to a SFTP server where the Server Host Key has been generated with RSA as host key algorithm.

The error in the Job Log is:

Connection attempt failed: Algorithm negotiation fail: algorithmName="server_host_key" jschProposal="rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521" serverProposal="ssh-rsa,ssh-dss"

Environment

Component: Integration FTP Agent

Version: 21.0.9 and superior

Cause

By default, ssh-rsa and ssh-dss are not enabled in the Integration FTP Agent as they were considered as insecure in since versions Openssh version 8.8 and superior.

This is explained here:

Why do ssh-rsa type keys not work with this JSch fork and my server?

  • As of the 0.2.0 release, the RSA/SHA1 signature algorithm is disabled by default.
    • SHA1 is no longer considered secure by the general cryptographic community and this JSch fork strives to maintain secure choices for default algorithms that it will utilize.
    • This also follows the lead of the OpenSSH project in which they disabled RSA/SHA1 signatures by default as of OpenSSH release 8.8.
  • ssh-rsa type keys continue to function by default with the RSA/SHA256 (rsa-sha2-256) & RSA/SHA512 (rsa-sha2-512) signature algorithms defined by RFC 8332.

Resolution

In order to enable in the new Integration FTP (IG_FTP) agent the old insecure host and public key algorithms and ciphers, you will need to modify the startup command in the service manager configuration file to the following:

java -Djsch.server_host_key=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss -Djsch.client_pubkey=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss -Djsch.ciphers=blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-ctr,aes128-ctr,aes192-ctr,aes256-ctc,arcfour,arcfour128,arcfour256 -jar ucxjftp.jar

Additional Information

See more information about the consideration of ssh-rsa as insecure in latest versions of Openssh here:

https://www.endpointdev.com/blog/2023/04/ssh-host-key/

Powered by Wolken Software