Skip to content
This repository has been archived by the owner on Oct 15, 2024. It is now read-only.

Algorithm negotiation fail on pull from remote #568

Closed
agboom opened this issue Nov 11, 2019 · 9 comments
Closed

Algorithm negotiation fail on pull from remote #568

agboom opened this issue Nov 11, 2019 · 9 comments

Comments

@agboom
Copy link

agboom commented Nov 11, 2019

Hi, I'm trying to clone a password store repository using ssh public key authentication (from a hardened ssh server, meaning cryptos that are considered unsafe are not supported). However, upon pulling from the server, the app shows a dialog with a TransportException and the message "Algorithm negotiation fail":

password-store-ssh-exception

I've tried both the latest version from the F-Droid store (1.3.2) and latest commit (b9e3967) built with Android Studio. Both yield the same error message. I've also upgraded JGit to 5.5.1, hoping that would solve it, but sadly it doesn't.

The stack trace below seems to suggest that the key exchange between client and server didn't succeed (that's what I conclude from receive_kexinit anyway). Could it be that Jsch does not support modern key exchange algorithms such as diffie-hellman-group14-sha256?

11-11 20:55:52.551  8306  9194 W System.err: org.eclipse.jgit.api.errors.TransportException: ssh://****: Algorithm negotiation fail
11-11 20:55:52.551  8306  9194 W System.err: 	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:255)
11-11 20:55:52.551  8306  9194 W System.err: 	at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:296)
11-11 20:55:52.551  8306  9194 W System.err: 	at com.zeapo.pwdstore.git.GitAsyncTask.doInBackground(GitAsyncTask.java:68)
11-11 20:55:52.551  8306  9194 W System.err: 	at com.zeapo.pwdstore.git.GitAsyncTask.doInBackground(GitAsyncTask.java:23)
11-11 20:55:52.551  8306  9194 W System.err: 	at android.os.AsyncTask$2.call(AsyncTask.java:333)
11-11 20:55:52.551  8306  9194 W System.err: 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
11-11 20:55:52.551  8306  9194 W System.err: 	at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
11-11 20:55:52.551  8306  9194 W System.err: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
11-11 20:55:52.551  8306  9194 W System.err: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
11-11 20:55:52.551  8306  9194 W System.err: 	at java.lang.Thread.run(Thread.java:764)
11-11 20:55:52.552  8306  9194 W System.err: Caused by: org.eclipse.jgit.errors.TransportException: ssh://****: Algorithm negotiation fail
11-11 20:55:52.552  8306  9194 W System.err: 	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:191)
11-11 20:55:52.552  8306  9194 W System.err: 	at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:140)
11-11 20:55:52.552  8306  9194 W System.err: 	at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:280)
11-11 20:55:52.552  8306  9194 W System.err: 	at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:170)
11-11 20:55:52.552  8306  9194 W System.err: 	at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:138)
11-11 20:55:52.552  8306  9194 W System.err: 	at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:124)
11-11 20:55:52.552  8306  9194 W System.err: 	at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1292)
11-11 20:55:52.552  8306  9194 W System.err: 	at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:244)
11-11 20:55:52.552  8306  9194 W System.err: 	... 9 more
11-11 20:55:52.552  8306  9194 W System.err: Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
11-11 20:55:52.552  8306  9194 W System.err: 	at com.jcraft.jsch.Session.receive_kexinit(Session.java:590)
11-11 20:55:52.552  8306  9194 W System.err: 	at com.jcraft.jsch.Session.connect(Session.java:320)
11-11 20:55:52.552  8306  9194 W System.err: 	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:145)
11-11 20:55:52.552  8306  9194 W System.err: 	... 16 more
@agboom agboom changed the title Algorithm negotiation fail Algorithm negotiation fail on pull repository Nov 11, 2019
@agboom agboom changed the title Algorithm negotiation fail on pull repository Algorithm negotiation fail on pull from remote Nov 11, 2019
@msfjarvis
Copy link
Member

The stack trace below seems to suggest that the key exchange between client and server didn't succeed (that's what I conclude from receive_kexinit anyway). Could it be that Jsch does not support modern key exchange algorithms such as diffie-hellman-group14-sha256?

It's the most probable cause.

@agboom
Copy link
Author

agboom commented Nov 12, 2019

According to this comparison matrix for SSH implementations Jsch does indeed lack the modern key exchange algorithms.
From a quick glance I see that SSHJ is more up-to-date in this respect, supporting up to diffie-hellman-group18-sha512. Other features, such as ciphers are also on par or better.

Would it be sensible to migrate to SSHJ?

@msfjarvis
Copy link
Member

Yes I feel that'll probably be for the best. Will take a stab at it soon.

@msfjarvis
Copy link
Member

SSHJ's support for generating SSH keys seems to be missing which is a blocker for us because Jsch does support it. Are you aware of any alternatives to assist us in that? I'd really prefer using a proven and tested implementation rather than try to roll my own for the app.

@agboom
Copy link
Author

agboom commented Nov 20, 2019

That's too bad, I overlooked that. Full disclosure: I don't have experience with Jsch or SSHJ, I only found them through some research online.

That said, do you have access to the Bouncycastle API? In that case would this example help? Or maybe this example also using Bouncycastle?

As a plan B, would it be acceptable to use OpenKeychain for SSH key management instead (as implemented in #486)?

@kietoparao kietoparao mentioned this issue Dec 10, 2019
Closed
@Floderik
Copy link

I ran into the same problem today. I got it working again by disabling the ED25519 SSH host key and going back to an RSA-based key. Not much of a security issue, but it would be nice to have more recent algorithms.

@msfjarvis
Copy link
Member

That's a Jsch limitation that I can unfortunately do nothing about. If the ability to generate SSH keys will not be missed, I'll restart my efforts to migrate to SSHJ.

@msfjarvis
Copy link
Member

After discussing with @Skrilltrax we both agree that it's in the project's best interests for us to avoid making any large changes to master and instead focus on making right choices from the get go on the v2 branch instead, so I'll not be attempting to migrate v1 to SSHJ. I'm currently looking into how best we can make use of SSHJ to create a feature-compatible replacement of Jsch out of it. I'm also investigating how to get around the need to disable StrictHostKeyChecking which enables MITM attack vectors as pointed out in #494.

@msfjarvis
Copy link
Member

Closing this in favour of keeping discussion consolidated to #448

@android-password-store android-password-store locked and limited conversation to collaborators May 25, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@agboom @msfjarvis @Floderik