Applications Manager RA FTP 4.1.4 + cannot connect to SFTP servers with ssh-rsa or ssh-dss as host key or client public key
search cancel

Applications Manager RA FTP 4.1.4 + cannot connect to SFTP servers with ssh-rsa or ssh-dss as host key or client public key

book

Article ID: 374220

calendar_today

Updated On:

Products

CA Automic Applications Manager (AM)

Issue/Introduction

When attempting to file transfer using SFTP with RA FTP 4.1.4 + the following error message can be seen.

server proposal: host key algorithms: ssh-rsa
client proposal: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
Disconnecting from ftp.server.com port 22
Connection attempt failed: Algorithm negotiation fail: algorithmName="server_host_key" jschProposal="rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521" serverProposal="ssh-rsa"

Environment

RA FTP 4.1.4 with Applications Manager 9.4+

Cause

With RA FTP 4.1.3 and below the agent utilizes jsch.jar 1.55 which is considered legacy.

Starting with RA FTP 4.1.4 the agent now utilizes jsch.jar 2.17 which contains updated encryption algorithms. By default, ssh-rsa and ssh-dss are not enabled with jsch.jar 2.17. The reasoning for this is detailed below...

Why do ssh-rsa type keys not work with this JSch fork and my server?

  • As of the 0.2.0 release, the RSA/SHA1 signature algorithm is disabled by default.
    • SHA1 is no longer considered secure by the general cryptographic community and this JSch fork strives to maintain secure choices for default algorithms that it will utilize.
    • This also follows the lead of the OpenSSH project in which they disabled RSA/SHA1 signatures by default as of OpenSSH release 8.8.
  • ssh-rsa type keys continue to function by default with the RSA/SHA256 (rsa-sha2-256) & RSA/SHA512 (rsa-sha2-512) signature algorithms defined by RFC 8332.

 

Resolution

The advised solution is to upgrade FTP server-side encryption to utilize default algorithms supported by jsch.jar version 2.17. This ensures the updated encryption algorithms are utilized.

However, if required the legacy algorithms can reenabled by adding the following to the $AW_HOME/site/sosite file of the RA FTP agent (the standard agent where the RA FTP agent runs).

Linux

export START_OPTION_AGENT="-Djsch.server_host_key=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss -Djsch.client_pubkey=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss -Djsch.ciphers=blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-ctr,aes128-ctr,aes192-ctr,aes256-ctc,arcfour,arcfour128,arcfour256 -Djsch.kex=diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,[email protected]"

Windows

set START_OPTION_AGENT=-Djsch.server_host_key=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss -Djsch.client_pubkey=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss -Djsch.ciphers=blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-ctr,aes128-ctr,aes192-ctr,aes256-ctc,arcfour,arcfour128,arcfour256 -Djsch.kex=diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,[email protected]

Once this is in place reinvoke the $AW_HOME/site/sosite file to set the variable. Once set ystop (stopso all) and start (startso all) the standard agent where the RA FTP agent runs.