Problem upgrading past v0.32.0

Question

Problem upgrading past v0.32.0

apete opened this issue a year ago · comments

We have a working implementation that's been ok with multiple versions of sshj. Most notably it is (still) ok with v0.32.0. When upgrading to v0.33.0, v0.34.0 or v0.35.0 we start getting "host not allowed to connect" errors.

INFO net.schmizz.sshj.transport.TransportImpl -- Received SSH_MSG_DISCONNECT (reason=HOST_NOT_ALLOWED_TO_CONNECT, msg=ssh disconnect host not allowed to connect)
ERROR net.schmizz.sshj.transport.TransportImpl -- Dying because - ssh disconnect host not allowed to connect
net.schmizz.sshj.transport.TransportException: ssh disconnect host not allowed to connect

Anyone have a clue which change in v0.33.0 could cause this? or if there's anything we can do to work around it?

David Handermann · Answer 1 · Mon Jul 10 2023 23:03:46 GMT+0800 (China Standard Time)

SSHJ 0.33.0 included some changes to RSA algorithm negotiation, so that could be part of the problem. It would be helpful to provide a complete set of log messages, with debug enabled, to show the algorithm negotiation process.

Anders Peterson · Answer 2 · Tue Jul 11 2023 16:21:39 GMT+0800 (China Standard Time)

Not sure what "with debug enabled" refers to. I set all loggers to DEBUG...

I've attached files with the console output for both v0.32.0 and v0.35.0:

v32.txt

v35.txt

David Handermann · Answer 3 · Tue Jul 11 2023 21:14:01 GMT+0800 (China Standard Time)

Thanks for providing the log output @apete, that is helpful.

In both cases, the negotiated algorithms are the same, but authentication is failing due to the server rejecting the key. Both sets of logs indicate authentication attempts using an OpenSSH V1 Key:

Attempting authentication using com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile

Are you using the same key file in both cases? There have been some changes to RSA key exchange handling, which may be causing SSHJ to try newer RSA signatures before the older deprecated approach.

The Config class has a method named prioritizeSshRsaKeyAlgorithm() that you could try to see if that resolves the issue with version 0.35.

Anders Peterson · Answer 4 · Tue Jul 11 2023 22:19:02 GMT+0800 (China Standard Time)

Yes, that works, thank you!

With

        DefaultConfig config = new DefaultConfig();
        config.prioritizeSshRsaKeyAlgorithm();

versions 0.33, 0.34 and 0.35 all work.

Definitely using the same key with each attempt. The only thing I've changed is the sshj version number in the maven pom.

David Handermann · Answer 5 · Tue Jul 11 2023 22:22:44 GMT+0800 (China Standard Time)

Thanks for confirming @apete. OpenSSH server deprecated and removed support for the ssh-rsa signature algorithm, so more recent versions of SSHJ prioritized modern alternatives. This works for SSH servers that support modern options, but for older servers, this can be issue. Glad to hear the prioritization change solved the problem with the server in question.