6

I’m hoping to set up a SFTP server in Java using Apache MINA.

It seems to start OK, but when I try to connect to it with an OpenSSH client, I get:

$ ssh localhost -p 2222
Unable to negotiate with ::1: no matching host key type found. Their offer: ssh-dss
$ ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.2d 9 Jul 2015

The Java app logs:

! java.lang.IllegalStateException: Unable to negotiate key exchange for server host key algorithms (client: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa / server: ssh-dss)
! at org.apache.sshd.common.session.AbstractSession.negotiate(AbstractSession.java:1279) ~[sshd-core-1.0.0.jar:1.0.0]

My Maven dependencies are:

<dependency>
    <groupId>org.apache.sshd</groupId>
    <artifactId>sshd-sftp</artifactId>
    <version>0.11.0</version>
</dependency>

<dependency>
    <groupId>org.apache.sshd</groupId>
    <artifactId>sshd-core</artifactId>
    <version>1.0.0</version>
</dependency>

My app startup code looks like (copied from https://stackoverflow.com/a/8974515/8261 )

import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.server.Command;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.auth.UserAuth;
import org.apache.sshd.server.auth.UserAuthNoneFactory;
import org.apache.sshd.server.command.ScpCommandFactory;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.sftp.subsystem.SftpSubsystem;

private void startSftpServer() throws IOException {
    SshServer sshd = SshServer.setUpDefaultServer();
    sshd.setPort(2222);
    sshd.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(
            new File("hostkey.ser")));

    List<NamedFactory<UserAuth>> userAuthFactories = new ArrayList<NamedFactory<UserAuth>>();
    userAuthFactories.add(new UserAuthNoneFactory());
    sshd.setUserAuthFactories(userAuthFactories);

    sshd.setCommandFactory(new ScpCommandFactory());

    List<NamedFactory<Command>> namedFactoryList = new ArrayList<NamedFactory<Command>>();
    namedFactoryList.add(new SftpSubsystem.Factory());
    sshd.setSubsystemFactories(namedFactoryList);

    sshd.start();
}

How do I add more modern host key algorithms to the server?

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Rich
  • 15,048
  • 2
  • 66
  • 119

1 Answers1

16

This works for me:

Change Maven pom.xml to remove "sshd-sftp", which is now part of "sshd-core":

<dependency>
    <groupId>org.apache.sshd</groupId>
    <artifactId>sshd-core</artifactId>
    <version>1.0.0</version>
</dependency>

Add to "startSftpServer":

    AbstractGeneratorHostKeyProvider hostKeyProvider =
            new SimpleGeneratorHostKeyProvider(SERVER_KEY_FILE.toPath());

    hostKeyProvider.setAlgorithm("RSA");
    sshd.setKeyPairProvider(hostKeyProvider);

... there seems to be a lot of guesswork involved in using this library, which seems shady for a "security" lib.

Rich
  • 15,048
  • 2
  • 66
  • 119
  • Thanks, `setAlgorithm(KeyUtils.RSA_ALGORITHM);` is exactly what I was missing trying to get SSHD working. If anyone is getting "no matching host key type found. Their offer: ssh-dss", try setting the host-key algorithm to RSA! – JeroenHoek Oct 23 '16 at 19:04
  • Also remember to delete any previously saved `SERVER_KEY_FILE`! – Jesse Glick Feb 08 '17 at 21:45
  • [Proposed change to default](https://github.com/apache/mina-sshd/pull/29) – Jesse Glick Feb 08 '17 at 21:57
  • 1
    For me Java_161 was throwing an exception: java.security.InvalidKeyException: The security strength of SHA-1 digest algorithm is not sufficient and these lines saved the day: AbstractGeneratorHostKeyProvider hostKeyProvider = new SimpleGeneratorHostKeyProvider(Paths.get("keystore")); hostKeyProvider.setAlgorithm(KeyUtils.DSS_ALGORITHM); hostKeyProvider.setKeySize(512); – hipokito Mar 13 '18 at 22:19