[JSch-users] FIPS mode failure

Fri, 13 Mar 2015 09:47:45 -0700 

Hi ymnk,
Using 0.1.51, I am unable to connect to a CentOS6/RH6 Server setup in "FIPS compliance mode" (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html). 

When connecting, it fails with the following error:

   com.jcraft.jsch.JSchException: Session.connect: java.io.IOException:
   End of IO Stream Read
            at com.jcraft.jsch.Session.connect(Session.java:558)
            at JschApp.main(JschApp.java:56)

In the server log:

   sshd[9303]: debug1: SSH2_MSG_KEXINIT received
   sshd[9303]: debug2: kex_parse_kexinit:
   
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
   sshd[9303]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
   sshd[9303]: debug2: kex_parse_kexinit:
   aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
   sshd[9303]: debug2: kex_parse_kexinit:
   aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
   sshd[9303]: debug2: kex_parse_kexinit:
   hmac-sha1,hmac-sha2-256,hmac-sha2-512
   sshd[9303]: debug2: kex_parse_kexinit:
   hmac-sha1,hmac-sha2-256,hmac-sha2-512
   sshd[9303]: debug2: kex_parse_kexinit: none,z...@openssh.com
   sshd[9303]: debug2: kex_parse_kexinit: none,z...@openssh.com
   sshd[9303]: debug2: kex_parse_kexinit:
   sshd[9303]: debug2: kex_parse_kexinit:
   sshd[9303]: debug2: kex_parse_kexinit: first_kex_follows 0
   sshd[9303]: debug2: kex_parse_kexinit: reserved 0
   sshd[9303]: debug2: kex_parse_kexinit:
   diffie-hellman-group-exchange-sha1
   sshd[9303]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
   sshd[9303]: debug2: kex_parse_kexinit:
   aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
   sshd[9303]: debug2: kex_parse_kexinit:
   aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
   sshd[9303]: debug2: kex_parse_kexinit:
   hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
   sshd[9303]: debug2: kex_parse_kexinit:
   hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
   sshd[9303]: debug2: kex_parse_kexinit: none
   sshd[9303]: debug2: kex_parse_kexinit: none
   sshd[9303]: debug2: kex_parse_kexinit:
   sshd[9303]: debug2: kex_parse_kexinit:
   sshd[9303]: debug2: kex_parse_kexinit: first_kex_follows 0
   sshd[9303]: debug2: kex_parse_kexinit: reserved 0
   sshd[9303]: debug2: mac_setup: found hmac-sha1
   sshd[9303]: debug1: kex: client->server aes128-ctr hmac-sha1 none
   sshd[9303]: debug3: mm_request_send entering: type 78
   sshd[9303]: debug3: mm_request_receive_expect entering: type 79
   sshd[9303]: debug3: mm_request_receive entering
   sshd[9299]: debug3: monitor_read: checking request 78
   sshd[9299]: debug3: mm_request_send entering: type 79
   sshd[9299]: debug3: mm_request_receive entering
   sshd[9303]: debug2: mac_setup: found hmac-sha1
   sshd[9303]: debug1: kex: server->client aes128-ctr hmac-sha1 none
   sshd[9303]: debug3: mm_request_send entering: type 78
   sshd[9303]: debug3: mm_request_receive_expect entering: type 79
   sshd[9303]: debug3: mm_request_receive entering
   sshd[9299]: debug3: monitor_read: checking request 78
   sshd[9299]: debug3: mm_request_send entering: type 79
   sshd[9299]: debug3: mm_request_receive entering
   sshd[9303]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
   sshd[9303]: debug3: mm_request_send entering: type 0
   sshd[9303]: debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
   sshd[9303]: debug3: mm_request_receive_expect entering: type 1
   sshd[9303]: debug3: mm_request_receive entering
   sshd[9299]: debug3: monitor_read: checking request 0
   sshd[9299]: debug3: mm_answer_moduli: got parameters: 2048 2048 1024
   sshd[9299]: fatal: mm_answer_moduli: bad parameters: 2048 2048 1024
   sshd[9299]: debug1: do_cleanup


Using either diffie-hellman-group-exchange-sha1 or 
diffie-hellman-group-exchange-sha256 fails with FIPS enabled, but 
succeeds with FIPS disabled. Using either with the OpenSSH client works 
fine.



On a side note, IF the client is using Java 8, I am able to connect with 
JSch, as it is able to use diffie-hellman-group14-sha1 successfully.

Does the server output give you any ideas what may be the issue?

Thank you in advance.
 - Scott

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
JSch-users mailing list
JSch-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jsch-users






















					Reply via email to