0

Key sent by customer working fine using SFTP command via Putty. It is working fine through Winscp.

But when i try using Java Code then i get following:

Caused by: com.maverick.ssh.SshException: 
Failed to negotiate a transport component 
  [hmac-sha1,hmac-md5]     [hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256] 
  [Unknown cause]

Code :

else if (authMethod == AUTH_KEY) {
PublicKeyAuthentication pk = new PublicKeyAuthentication();
SshPrivateKeyFile pkfile = SshPrivateKeyFileFactory.parse(new FileInputStream(pass));

com.maverick.ssh.components.SshKeyPair pair;
if (pkfile.isPassphraseProtected())
   pair = pkfile.toKeyPair(keypass);
else
   pair = pkfile.toKeyPair(null);

pk.setPrivateKey(pair.getPrivateKey());
pk.setPublicKey(pair.getPublicKey());
this.session.authenticate(pk);

The above common code is working fine for existing Keys and not for this new server. Not a concrete solution at code level is found.

Any thing more to be added here in code or any type of conversions?

fatherazrael
  • 5,511
  • 16
  • 71
  • 155
  • The problem has nothing to do with the auth key -- your connection is failing before auth. 'maverick' apparently supports only old MAC algorithms, at least as you've used it, while the server supports only new ones. putty-suite (psftp or pscp) does support some new ones, and thus so does winscp because it uses the putty code. You'll have to either find a way to enable or add this to 'maverick' or use something else like Jsch or have the server config changed (which they may view as weakening, although HMAC isn't affected by the MD5 and SHA1 collision breaks). – dave_thompson_085 May 04 '21 at 12:39

1 Answers1

1

The problem is that your side is offering only HMAC-MD5 and HMAC-SHA-1 as MAC algorithms, and the server side only supports HMAC-SHA-256 and HMAC-SHA-512. The server is doing the right thing here, since MD5 and SHA-1 are considered insecure, and even though their HMAC versions aren't insecure when used in SSH, responsible parties have moved away from any use of MD5 and SHA-1.

Because you and the server can't agree on an algorithm to use, the connection can't continue.

It looks like the latest version of the Maverick SSH client supports the hmac-sha2-256 (HMAC-SHA-256), so you could try upgrading, or you could use a more modern SSH library.

bk2204
  • 64,793
  • 6
  • 84
  • 100