Reputation: 13
JSch algorithm negotiation fail with OSX El Capitan
We have a build script that uses the Ant <scp> task to upload files to a Mac server. This has been working fine for a year or more with the server running OSX 10.8 (Mountain Lion), but we recently upgraded it to OSX 10.11 (El Capitan) and now the <scp> task fails with this exception:
com.jcraft.jsch.JSchException: Algorithm negotiation fail
Switching on verbose mode, the log looks like this:
[scp] Connecting to **SERVER-ADDRESS**:2220
[scp] Connecting to **SERVER-ADDRESS** port 2220
[scp] Connection established
[scp] Remote version string: SSH-2.0-OpenSSH_6.9
[scp] Local version string: SSH-2.0-JSCH-0.1.51
[scp] CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
[scp] CheckKexes: diffie-hellman-group14-sha1
[scp] diffie-hellman-group14-sha1 is not available.
[scp] SSH_MSG_KEXINIT sent
[scp] SSH_MSG_KEXINIT received
[scp] kex: server: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
[scp] kex: server: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
[scp] kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
[scp] kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
[scp] kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
[scp] kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
[scp] kex: server: none,[email protected]
[scp] kex: server: none,[email protected]
[scp] kex: server:
[scp] kex: server:
[scp] kex: client: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
[scp] kex: client: ssh-rsa,ssh-dss
[scp] kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
[scp] kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
[scp] kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
[scp] kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
[scp] kex: client: none
[scp] kex: client: none
[scp] kex: client:
[scp] kex: client:
[scp] Disconnecting from **SERVER-ADDRESS** port 2220
So the problem is that a single algorithm is not supported by both client and server, as discussed in this similar SO post: JSchException: Algorithm negotiation fail and various other places. However, from the logs it looks to me like the client and server do both support at least one algorithm, namely "aes128-ctr":
[scp] kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
and
[scp] kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
So I don't understand why they can't negotiate an algorithm, but even so I went ahead and installed the JCE Unlimited Strength Jurisdiction Policy files, as suggested in that other SO question - you can see in the above line that the client supports 256-bit algorithms now. That doesn't make a difference, presumably because the server supports "aes256-ctr" and the client supports "aes256-cbc". But I still don't understand why it can't use "aes128-ctr"
Note, the client machine is running Windows, so based on something I read elsewhere (can't remember exactly where), I have also tried clearing Putty's cache of SSH keys - that also made no difference (not that I was expecting it to - I'm just trying stuff now...)
Frustratingly, it looks like this SO post - Algorithm negotiation fail deploying iOS app in OSX "El Capitan" - deals with the same issue, and there was a resolution, but the answerer just says that the problem is fixed in his product without explaining what the fix was, and I don't have enough reputation to post a comment asking for more detail
Upvotes: 1
Views: 1014
Answers (1)
Reputation: 25966
Algorithm negotiation is not only about cipher, but also Key exchange and MACs. You don't have any common key exchange algorithm:
[scp] kex: server: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
[scp] kex: client: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
The client set is really small. You will probably have to allow additional Kex method on client side.
Upvotes: 0
Related Questions
- How can I ssh into a server that requires two password authentication using Python's Paramiko module?
- Netcat questions re connectivity
- Jenkins SSH server showing error Algorithm negotiation fail while trying to setup with over the SSH plugin
- Amazon ec2 show "Permission denied (publickey)"
- Amazon instance no longer allowing login with private key