Enable ssh-dss algorithm for known-host in Apache-Mina

Question

I'm working on a custom SFTP client. The client receives a known-host record as a required server key. My code works fine with ssh-rsa, but in the case of ssh-dss Mina throws an exception with a message Unable to negotiate key exchange for server host key algorithms (client: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa / server: ssh-dss). The official documentation (https://github.com/apache/mina-sshd) says that Mina does support ssh-dss.

Would you recommend a way how to make SshClient use ssh-dss (something like PubkeyAcceptedKeyTypes=+ssh-dss in ssh config)?

Thank you.

Hi, I'm passing through the same problem. Didi you manage to solve it? — Pedro Augusto, Oct 08 '21 at 10:32

score 0 · Answer 1 · answered Mar 19 '23 at 16:08

In NetconfSSHClient.java add the following after the call to SshClient.setUpDefaultClient()

        // add DSS 
        List<NamedFactory<Signature>> signatureFactories = client.getSignatureFactories();
        List<BuiltinSignatures> signatures = new ArrayList<>();
        signatures.add(BuiltinSignatures.dsa);
        signatureFactories.addAll(NamedFactory.setUpBuiltinFactories(false, signatures));
        
        client.setSignatureFactories(signatureFactories);

You'll also need to add the matching includes to the top of your file:

import java.util.List;
import java.util.ArrayList;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.signature.BuiltinSignatures;

There may be an easier way, but this was the way the Mina-SSHD mailing list told me to do it.

If you also need deprecated KEX or Ciphers the process is similar for cyphers but slightly different for KEX:

        // Get the current default list of key exchange factories
        List<KeyExchangeFactory> keyExchangeFactories = client.getKeyExchangeFactories();

        // Add the Diffie-Hellman-group1-sha1 key exchange factory
        keyExchangeFactories.addAll(NamedFactory.setUpTransformedFactories(
                false,
                List.of(BuiltinDHFactories.dhg1),
                ClientBuilder.DH2KEX
        ));

        // Update the key exchange factories
        client.setKeyExchangeFactories(keyExchangeFactories);

Enable ssh-dss algorithm for known-host in Apache-Mina

1 Answers1