ANT SSHEXEC failing with Algorithm negotitation fail error

1
votes

I am just trying to connect to a remote host using the ant sshexec task . I have the required jar in the ant lib directory and able to connect to the remote host using putty. This is the way i am running the ssh

 <sshexec host="host"
username="username"
password="password"
trust="yes"
command="ls"/>

There seems to be encryption algorith mismatch with the server. How can i specify the algorith as I don't see any attribute for this task [Ant doc][1]. This is the error log i am getting:

com.jcraft.jsch.JSchException: Algorithm negotiation fail
    at com.jcraft.jsch.Session.receive_kexinit(Session.java:540)
    at com.jcraft.jsch.Session.connect(Session.java:288)
    at com.jcraft.jsch.Session.connect(Session.java:145)
    at org.apache.tools.ant.taskdefs.optional.ssh.SSHBase.openSession(SSHBase.java:212)
    at org.apache.tools.ant.taskdefs.optional.ssh.SSHExec.execute(SSHExec.java:158)
    at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:288)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106)
    at org.apache.tools.ant.Task.perform(Task.java:348)
    at org.apache.tools.ant.Target.execute(Target.java:357)
    at org.apache.tools.ant.Target.performTasks(Target.java:385)
    at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1337)
    at org.apache.tools.ant.Project.executeTarget(Project.java:1306)
    at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
    at org.apache.tools.ant.Project.executeTargets(Project.java:1189)
    at org.apache.tools.ant.Main.runBuild(Main.java:758)
    at org.apache.tools.ant.Main.startAnt(Main.java:217)
    at org.apache.tools.ant.launch.Launcher.run(Launcher.java:257)
    at org.apache.tools.ant.launch.Launcher.main(Launcher.java:104)
2
antsshjsch
See: stackoverflow.com/search?q=[jsch]+Algorithm+negotiation+fail - Mark O'Connor
@MarkO'Connor That's being handled through java program which potentially has an option to set the algorithm option. How to i set these through ant ? - Raj
Looks like the fix is applied either on the server (enable the algorithms being used by your version of JSCH) or alter the policy files used by your JVM. I have never experienced this issue, but doesn't look like an ANT specific issue. - Mark O'Connor
@MarkO'Connor Thanks for the reply. I know that it's server specific and I have too little idea on jsch . Can me point me to the location where i can find which algorithm has been used by a version of jsch and how can i enable the algorithms on the server and so on - Raj
I stand corrected. Googling suggests that there is a programmatic fix available See: mail-archive.com/[email protected]/msg01633.html . I would suggest raising an Apache ANT bug, reporting this problem. - Mark O'Connor

2 Answers

2
votes

TL;DR edit your sshd_config and enable support for diffie-hellman-group-exchange-sha1 and diffie-hellman-group1-sha1 in KexAlgorithms:

KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 I suspect that the problem appeared after the following change in OpenSSH 6.7: "The default set of ciphers and MACs has been altered to remove unsafe algorithms.". (see changelog). This version was released on Oct, 6, and made it on Oct, 21 to Debian testing (see Debian changelog).

OpenSSH enables only the following key exchange algorithms by default:

[email protected] ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group14-sha1 Whereas JSch claims to support these algorithms (see under "features") for key exchange:

diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 So indeed, they cannot agree on a common key exchange algorithm. Updating sshd_config (and restarting the SSH server) does the trick. Apparently JSch is supposed to support the "diffie-hellman-group-exchange-sha256" method since version 0.1.50 (see changelog).

1
votes

I had the same error trying to connect to OS X 10.11.6 and could fix it by replacing ~/.ant/lib/jsch-0.1.51.jar with the latest ~/.ant/lib/jsch-0.1.54.jar.