Hi ymnk,
Using 0.1.51, I am unable to connect to a CentOS6/RH6 Server setup in
"FIPS compliance mode"
(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html).
When connecting, it fails with the following error:
com.jcraft.jsch.JSchException: Session.connect: java.io.IOException:
End of IO Stream Read
at com.jcraft.jsch.Session.connect(Session.java:558)
at JschApp.main(JschApp.java:56)
In the server log:
sshd[9303]: debug1: SSH2_MSG_KEXINIT received
sshd[9303]: debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
sshd[9303]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
sshd[9303]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
sshd[9303]: debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
sshd[9303]: debug2: kex_parse_kexinit:
hmac-sha1,hmac-sha2-256,hmac-sha2-512
sshd[9303]: debug2: kex_parse_kexinit:
hmac-sha1,hmac-sha2-256,hmac-sha2-512
sshd[9303]: debug2: kex_parse_kexinit: none,z...@openssh.com
sshd[9303]: debug2: kex_parse_kexinit: none,z...@openssh.com
sshd[9303]: debug2: kex_parse_kexinit:
sshd[9303]: debug2: kex_parse_kexinit:
sshd[9303]: debug2: kex_parse_kexinit: first_kex_follows 0
sshd[9303]: debug2: kex_parse_kexinit: reserved 0
sshd[9303]: debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1
sshd[9303]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
sshd[9303]: debug2: kex_parse_kexinit:
aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
sshd[9303]: debug2: kex_parse_kexinit:
aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
sshd[9303]: debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
sshd[9303]: debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
sshd[9303]: debug2: kex_parse_kexinit: none
sshd[9303]: debug2: kex_parse_kexinit: none
sshd[9303]: debug2: kex_parse_kexinit:
sshd[9303]: debug2: kex_parse_kexinit:
sshd[9303]: debug2: kex_parse_kexinit: first_kex_follows 0
sshd[9303]: debug2: kex_parse_kexinit: reserved 0
sshd[9303]: debug2: mac_setup: found hmac-sha1
sshd[9303]: debug1: kex: client->server aes128-ctr hmac-sha1 none
sshd[9303]: debug3: mm_request_send entering: type 78
sshd[9303]: debug3: mm_request_receive_expect entering: type 79
sshd[9303]: debug3: mm_request_receive entering
sshd[9299]: debug3: monitor_read: checking request 78
sshd[9299]: debug3: mm_request_send entering: type 79
sshd[9299]: debug3: mm_request_receive entering
sshd[9303]: debug2: mac_setup: found hmac-sha1
sshd[9303]: debug1: kex: server->client aes128-ctr hmac-sha1 none
sshd[9303]: debug3: mm_request_send entering: type 78
sshd[9303]: debug3: mm_request_receive_expect entering: type 79
sshd[9303]: debug3: mm_request_receive entering
sshd[9299]: debug3: monitor_read: checking request 78
sshd[9299]: debug3: mm_request_send entering: type 79
sshd[9299]: debug3: mm_request_receive entering
sshd[9303]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
sshd[9303]: debug3: mm_request_send entering: type 0
sshd[9303]: debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
sshd[9303]: debug3: mm_request_receive_expect entering: type 1
sshd[9303]: debug3: mm_request_receive entering
sshd[9299]: debug3: monitor_read: checking request 0
sshd[9299]: debug3: mm_answer_moduli: got parameters: 2048 2048 1024
sshd[9299]: fatal: mm_answer_moduli: bad parameters: 2048 2048 1024
sshd[9299]: debug1: do_cleanup
Using either diffie-hellman-group-exchange-sha1 or
diffie-hellman-group-exchange-sha256 fails with FIPS enabled, but
succeeds with FIPS disabled. Using either with the OpenSSH client works
fine.
On a side note, IF the client is using Java 8, I am able to connect with
JSch, as it is able to use diffie-hellman-group14-sha1 successfully.
Does the server output give you any ideas what may be the issue?
Thank you in advance.
- Scott
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
JSch-users mailing list
JSch-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jsch-users