JSch Algorithm negotiation fail

Question

I try to connect SFTP server by Java.

I got an error.

com.jcraft.jsch.JSchException: Algorithm negotiation fail

Here is the POM:

<dependency>
            <groupId>com.jcraft</groupId>
            <artifactId>jsch</artifactId>
            <version>0.1.53</version>
</dependency>

Here is the log:

INFO: Connecting to **"FTP ADRESS"** port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-Maverick_SSHD
INFO: Local version string: SSH-2.0-JSCH-0.1.53
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: aes256-ctr is not available.
INFO: aes192-ctr is not available.
INFO: aes256-cbc is not available.
INFO: aes192-cbc is not available.
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: diffie-hellman-group14-sha1 is not available.
INFO: ecdh-sha2-nistp256 is not available.
INFO: ecdh-sha2-nistp384 is not available.
INFO: ecdh-sha2-nistp521 is not available.
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: ecdsa-sha2-nistp256 is not available.
INFO: ecdsa-sha2-nistp384 is not available.
INFO: ecdsa-sha2-nistp521 is not available.
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
INFO: kex: server: ssh-rsa
INFO: kex: server: aes256-cbc,aes192-cbc
INFO: kex: server: aes256-cbc,aes192-cbc
INFO: kex: server: hmac-sha1,hmac-sha1-96
INFO: kex: server: hmac-sha1,hmac-sha1-96
INFO: kex: server: none
INFO: kex: server: none
INFO: kex: server: 
INFO: kex: server: 
INFO: kex: client: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client: 
INFO: kex: client: 
INFO: Disconnecting from "FTP ADRESS" port 22

I got this error what i tried to fix. I cannot access the SFTP server to download or update any file or etc...

I can connect the server by FileZilla, but I cannot make it by Java.

Connection Code:

JSch jsch = new JSch();
Properties config = new Properties();
config.put("cipher.s2c", 
           "aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc");
config.put("cipher.c2s",
           "aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc");
config.put("kex", "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256");
Session jschSession = jsch.getSession("username","server",22);

jschSession.setConfig("StrictHostKeyChecking", "no");
jschSession.setPassword("password");
jschSession.setConfig(config);
jschSession.connect();

When I added

config.put("cipher.s2c", 
           "aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc");

the logs are like this

INFO: Connecting to ftp.servername port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-Maverick_SSHD
INFO: Local version string: SSH-2.0-JSCH-0.1.53
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: aes256-ctr is not available.
INFO: aes192-ctr is not available.
INFO: aes256-cbc is not available.
INFO: aes192-cbc is not available.
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: diffie-hellman-group14-sha1 is not available.
INFO: ecdh-sha2-nistp256 is not available.
INFO: ecdh-sha2-nistp384 is not available.
INFO: ecdh-sha2-nistp521 is not available.
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: ecdsa-sha2-nistp256 is not available.
INFO: ecdsa-sha2-nistp384 is not available.
INFO: ecdsa-sha2-nistp521 is not available.
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
INFO: kex: server: ssh-rsa
INFO: kex: server: aes256-cbc,aes192-cbc
INFO: kex: server: aes256-cbc,aes192-cbc
INFO: kex: server: hmac-sha1,hmac-sha1-96
INFO: kex: server: hmac-sha1,hmac-sha1-96
INFO: kex: server: none
INFO: kex: server: none
INFO: kex: server: 
INFO: kex: server: 
INFO: kex: client: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256
INFO: kex: client: ssh-rsa,ssh-dss
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client: 
INFO: kex: client: 
INFO: Disconnecting from ftp.servername port 22
com.jcraft.jsch.JSchException: Algorithm negotiation fail

can you also add the connection code? – Garry Jun 15 '15 at 13:32 — Garry, Jun 15 '15 at 13:32

Martin Prikryl · Accepted Answer · 2021-04-02T05:52:09.520

As you can see, the server offers these ciphers:

INFO: kex: server: aes256-cbc,aes192-cbc

But JSch accepts only these:

INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc

There's no common cipher to choose from.

Note that JSch does support both aes256-cbc and aes192-cbc, but requires JCE (Java Cryptography Extension) to allow them.

You probably do not have JCE, so these ciphers are not available. That's why there's

INFO: aes256-cbc is not available.

Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 (or other version if other JDK – 1.7, 1.6, IBM JDK 1.6).

See also an answer to The cipher 'aes256-cbc' is required, but it is not available.

score 4 · Answer 2 · edited May 23 '17 at 11:59

4

I solve it by adding the following line to /etc/ssh/sshd_config and restart the sshd service. Thanks for answer by @wierzbiks at another thread

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

edited May 23 '17 at 11:59

Community

1
1

answered Jul 01 '16 at 08:26

Rockie Yang

4,725
31
34

1

How to do this in window openSSH? I tried this, but I cant even start my openSSH service, it hit Bad configuration option: KexAlgorithms – Panadol Chong Oct 17 '17 at 09:01
@PanadolChong Did you find that Directory path at windows OpenSSH ? – 2Big2BeSmall Mar 27 '18 at 06:51
@2Big2BeSmall , Its actually in the path you install your `openSSH`. For example, mine will be at `C:\ProgramFiles\OpenSSH\etc\` , In this folder you will see the config file. Hope this help you. – Panadol Chong Mar 27 '18 at 07:05

score -3 · Answer 3 · answered Mar 20 '18 at 15:03

-3

I solve it updating the library jsch-0.1.27.jar to jsch-0.1.54.jar.

Finally in your code you should write something like this:

your Method {       
     session.setConfig("StrictHostKeyChecking", "no");
// That solve the problem.
    }

This code works in Java 1.5 or above if you need this java version.

answered Mar 20 '18 at 15:03

Juan Esteban Katz Delgado

11
1
5

1

First, `StrictHostKeyChecking` has nothing to do with this question. Second, never ever suggest anyone to use `StrictHostKeyChecking=no` without explaining its security consequences. – Martin Prikryl Mar 20 '18 at 15:22

JSch Algorithm negotiation fail

3 Answers3

Linked

Related