Jamie Snipes Jamie Snipes - 17 days ago 8
Java Question

JSch 0.1.54 dh-group14-sha1 Algorithm negotiation fail

I have added the Java unlimited policy files and read the solutions that other posters have asked here, but still can not solve my problem.


  1. Upgraded to JSch 0.1.54

  2. Installed the UnlimitedJCEPolicy Files.
    C:\Program Files\Java\jdk1.7.0_21\jre\lib\security
    .
    I have verified that NetBeans is using this instance of jdk.



I am able to connect with SSH key-exchange group dh-group1-sha1 set on the firewall, but when I change it to SSH key-exchange group dh-group14-sha1 I receive the following error:

Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:590)
at com.jcraft.jsch.Session.connect(Session.java:320)
at com.jcraft.jsch.Session.connect(Session.java:183)


I create my JSch session as follows:

Properties config = new Properties();
config.put("kex", "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256");
config.put("StrictHostKeyChecking", "no");
session.setConfig(config);
session.connect();


I have followed the solutions that other questions have had, but have thus far been unable to solve this issue. Please help.

Here is the log file from the server.

SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.99-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25
SSH1: receive SSH message: 83 (83)
SSH1: client version is - SSH-2.0-JSCH-0.1.54

client version string:SSH-2.0-JSCH-0.1.54

SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-ctr hmac-md5 none
SSH2: kex: server->client aes128-ctr hmac-md5 none
SSH2 0: kex algo not supported: client diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchan
SSH2 1: ssh: kex_choose_conf errorSSH1: Session disconnected by SSH server - error 0x00 "Internal error"


Here is the JSch logs:

INFO: Connection established
INFO: Remote version string: SSH-1.99-Cisco-1.25
INFO: Local version string: SSH-2.0-JSCH-0.1.54
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: diffie-hellman-group14-sha1 is not available.
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group14-sha1
INFO: kex: server: ssh-rsa
INFO: kex: server: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
INFO: kex: server: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
INFO: kex: server: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
INFO: kex: server: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
INFO: kex: server: none
INFO: kex: server: none
INFO: kex: server:
INFO: kex: server:
INFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client:
INFO: kex: client:

Answer

Apparently you need to use JDK 8 for the "diffie-hellman-group14-sha1".

See the JSch.java static block:

config.put("diffie-hellman-group14-sha1", 
           "com.jcraft.jsch.DHG14");    // available since JDK8.
Comments