46

I am trying to connect to remote sftp server over ssh with JSch (0.1.44-1) but during session.connect(); I am getting this exception:

com.jcraft.jsch.JSchException: Algorithm negotiation fail at 
com.jcraft.jsch.Session.receive_kexinit(Session.java:529) at 
com.jcraft.jsch.Session.connect(Session.java:291) at com.jcraft.jsch.Session.connect(Session.java:154)
...

Logs from JSch:

INFO: Connecting to xx.xx.xx.xxport 22 
INFO: Connection established 
INFO: Remote version string: SSH-2.0-WeOnlyDo 2.0.6 
INFO: Local version string: SSH-2.0-JSCH-0.1.44 
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: aes256-ctr is not available. 
INFO: aes192-ctr is not available.
INFO: aes256-cbc is not available. 
INFO: aes192-cbc is not available.
INFO: arcfour256 is not available. 
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received 
INFO: Disconnecting from xx.xx.xx.xx port 22

I am able to log in to remote server with linux sftp command. I was trying to find any kind of clue in the internet but I failed.

Debug output from linux sftp command:

OpenSSH_5.5p1-DAM_1.2, OpenSSL 0.9.8r 8 Feb 201

debug1: Reading configuration data /etc/DAM/ssh/ssh_config
debug1: Applying options for *
debug1: Applying options for *.*
debug1: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /**/spv_id_rsa.key type -1
debug1: identity file /**/spv_id_rsa.key-cert type -1
debug1: Remote protocol version 2.0, remote software version WeOnlyDo 2.0.6
debug1: no match: WeOnlyDo 2.0.6
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1-DAM_1.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes256-cbc hmac-md5 none
debug1: kex: client->server aes256-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'xx.xx.xx.xx' is known and matches the RSA host key.
debug1: Found key in ~/.ssh/known_hosts:8
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /**/spv_id_rsa.key
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending subsystem: sftp
Connected to xx.xx.xx.xx.
sftp>
DarkAjax
  • 15,955
  • 11
  • 53
  • 65
Marek Dominiak
  • 693
  • 1
  • 7
  • 9

12 Answers12

32

There are a couple of places that SSH clients and servers try and agree on a common implementation. Two I know of are encryption and compression. The server and client produce a list of available options and then the best available option in both lists is chosen.

If there is no acceptable option in the lists then it fails with the error you got. I'm guessing from the debug output here but it looks like the only server options for encryption are "aes256-cbc hmac-md5 none".

JSch doesn't do hmac-md5 and aes256-cbc is disabled because of your Java policy files. Two things you could try are...

  1. To increase the available encryption libraries on the server, install unrestricted policy files on your client, enabling aes256-cbc (make sure the message saying it is disabled goes away, those policy files are notoriously easy to install on the wrong JVM) from the site:

    For JDK 1.6: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

    For JDK 1.7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

    For JDK 1.8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

  2. or try and disable encryption.

The first is ideal if you have access to the server (trust me aes128-cbc is plenty of encryption), but the second is easy enough to quickly test out the theory.

Vitaly Olegovitch
  • 3,509
  • 6
  • 33
  • 49
Pace
  • 41,875
  • 13
  • 113
  • 156
  • Thank you! I have solved my problem by using your second suggestion (I don't have access to remote server). The server had only these encryption options[aes256-cbc, rijndael256-cbc, rijndael-cbc@lysator.liu.se] I did find solution by myself 40 minutes ago (and then found your post! Thank you again!) – Marek Dominiak Jun 07 '11 at 13:56
  • 2
    I have found better error logging when i used using vngx-jsch (https://github.com/vngx/vngx-jsch) and it lead me to this readme file: (http://www.jcraft.com/jsch/README - section about AES cipher), and then JSch was able to use aes256-cbc on my client machine - which solved my problem. Thank you again for sharing your knowledge. – Marek Dominiak Jun 07 '11 at 14:03
  • 9
    You could also check the Key Exchance Algorithms if the problem appears again. Recent versions of debian and synology DSM ship OpenSSH with `diffie-hellman-group1-sha1` disabled, and Jsch doesn't seem to support the others. If you can, add `KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1` to your `sshd_config` on the server. At least this worked for me (TeamCity 8.1.5 vs. git repository on Synology DSM 5.1). – Malte Clasen Dec 08 '14 at 17:13
  • The worst thing about this answer is that I have but one upvote to give it. – belgariontheking Apr 01 '15 at 00:37
  • 3
    I upgraded to jsch-0.1.54.jar and also upgraded my execution of Ant from using JDK7 to using JDK8. That solved the problem for me. – johnstosh Jun 09 '17 at 14:29
  • 4
    Can You please specify how can we disable encryption? – Kashyap Kotak Mar 26 '18 at 05:21
  • @KashyapKotak I don't honestly know anymore. This may work `session.setConfig("cipher.s2c", "none");` and `session.setConfig("cipher.c2s", "none");`. Let me know if it does and I will add it to the answer. – Pace Mar 26 '18 at 17:35
  • I have fixed the same problem with v.0.1.51 and jdk6 by installing this extension http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html – Lazy Jun 02 '18 at 11:44
24

Finally a solution that works without having to make any changes to the server:

  1. Download the latest jsch.jar as Yvan suggests: http://sourceforge.net/projects/jsch/files/jsch.jar/ jsch-0.1.52.jar works fine

  2. Place the downloaded file in your "...\JetBrains\PhpStorm 8.0.1\lib", and remove the existing jsch-file (for PHPStorm 8 it's jsch-0.1.50.jar)

  3. Restart PHPStorm and it should work

Use the same solution for Webstorm

brunettdan
  • 997
  • 9
  • 7
  • I upgraded to jsch-0.1.54.jar and also upgraded my execution of Ant from using JDK7 to using JDK8. That solved the problem for me. – johnstosh Jun 09 '17 at 14:28
  • @johnstosh, there should be no need to update to JDK8, just upgrading to jsch-0.1.52.jar was enough for me. I use this from Maven though (one needs to specify wagon-ssh plugin [2.12](https://mvnrepository.com/artifact/org.apache.maven.wagon/wagon-ssh/2.12)+ or 3.0.0+), so maybe there is some slight difference from Ant... – Petr Bodnár Feb 13 '18 at 11:18
  • 2
    I don't think this is a universal fix - I'm running 0.1.54 and still get the error. – Ryan Thames Aug 23 '18 at 17:36
12

The complete steps to add the algorithms to the RECEIVING server (the one you are connecting to). I'm assuming this is a Linux server.

sudo /etc/ssh/sshd_config

Add this to the file (it can be at the end):

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Then restart the SSH server:

sudo service sshd restart
mrmuggles
  • 2,081
  • 4
  • 25
  • 44
  • Hey thanks for the answer, this worked. But can you explain what is this actually doing – MoonLight Dec 22 '22 at 06:38
  • It's been a while, but this changes the algorithms the SSH connection will accept / work with. I don't remember which one jsch needed as this was ~7 years ago. Make sure 'things' connecting via SSH are still supported with these algorithms and make sure the algo are secure when changing them. – mrmuggles Jul 13 '23 at 18:20
10

FWIW, I had this same error message under JSch 0.1.50. Upgrading to 0.1.52 solved the problem.

cobbzilla
  • 1,920
  • 1
  • 16
  • 17
8

As the jsch library seems not longer being maintained (last release was published in 2018), none of the above answer helped me to solve the issue.

I recently faced the same issue because the OpenSSH version on server was 8.8 which had said good bye to ssh-rsa algorithm. And if you search for "jsch ssh-rsa" probably you will also get this as the first result: https://www.matez.de/index.php/2020/06/22/the-future-of-jsch-without-ssh-rsa/.

As suggested on the blog post I applied the drop-in replacement and that worked without making any change in the source code. The only change that was required is to replace the com.jcraft:jsch dependency by com.github.mwiede:jsch.

Replace:

<dependency>
  <groupId>com.jcraft</groupId>
  <artifactId>jsch</artifactId>
  <version>0.1.55</version>
</dependency>

with:

<dependency>
  <groupId>com.github.mwiede</groupId>
  <artifactId>jsch</artifactId>
  <version>0.2.0</version>
</dependency>

Hope this will help future visitors.

Mohammad Faisal
  • 5,783
  • 15
  • 70
  • 117
4

Make sure that you're using the latest version of JSch. I had this exact same problem when using JSch 0.1.31 and trying to connect to a RedHat 5 server. Updating to the latest version solved the problem.

TJ von Mechow
  • 53
  • 1
  • 4
3

The issue is with the Version of JSCH jar you are using.

Update it to latest jar.

I was also getting the same error and this solution worked.

You can download latest jar from

http://www.jcraft.com/jsch/

Aditya
  • 818
  • 1
  • 10
  • 21
  • Hi @user203004 - do you know what the fault is with the version of JSCH? For example, do you have a reference in the release notes about them making a code change to stop it throwing this exception? – Vince Bowdren Aug 12 '16 at 14:52
2

I had the same issue, running Netbeans 8.0 on Windows, and JRE 1.7.

I just installed JRE 1.8 from https://www.java.com/fr/download/ (note that it's called Version 8 but it's version 1.8 when you install it), and it fixed it.

Yvan
  • 2,539
  • 26
  • 28
1

add KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha‌​1 to your sshd_config on the server.

This worked, but make sure you restart sshd: sudo service sshd restart

Adamsaurus
  • 11
  • 2
1

The solution for me was to install the oracle unlimited JCE and install in JRE_HOME/lib/security. Then restarted glassfish and I was able to connect to my sftp server using jsch.

nettie
  • 628
  • 1
  • 11
  • 23
0

I updated jsch lib latest one (0.1.55). working fine for me. no need to restart the server or no need to update java(current using java8)

Hemang Rami
  • 81
  • 3
  • I am using the latest jsch lib (0.1.55) but still getting the same error. The only difference is that I am connecting on a new VM this time. – Mohammad Faisal Mar 28 '22 at 12:57
0

Upgrading Java 8 to u162 or above should help. From this version unlimited strength policy is enabled by default.

Mariusz Tasarz
  • 11
  • 1