Automic Workload Automation

View Only

RA-FTP Algorithm Problem

Martin Winkler posted Nov 19, 2022 01:12 PM

Hello ,

we have a problem regarding a RA-FTP-job

2022-11-19 19:00:14             Connection established
2022-11-19 19:00:14             Remote version string: SSH-2.0-SHAFT
2022-11-19 19:00:14             Local version string: SSH-2.0-JSCH-0.1.54
2022-11-19 19:00:14             CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
2022-11-19 19:00:14             CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
2022-11-19 19:00:14             CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2022-11-19 19:00:14             SSH_MSG_KEXINIT sent
2022-11-19 19:00:14             SSH_MSG_KEXINIT received
2022-11-19 19:00:14             kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,ext-info-s
2022-11-19 19:00:14             kex: server: ssh-ed25519,rsa-sha2-512,rsa-sha2-256
2022-11-19 19:00:14             kex: server: aes128-ctr,aes192-ctr,aes256-ctr
2022-11-19 19:00:14             kex: server: aes128-ctr,aes192-ctr,aes256-ctr
2022-11-19 19:00:14             kex: server: hmac-sha2-256,hmac-sha2-512
2022-11-19 19:00:14             kex: server: hmac-sha2-256,hmac-sha2-512
2022-11-19 19:00:14             kex: server: none,zlib,zlib@openssh.com
2022-11-19 19:00:14             kex: server: none,zlib,zlib@openssh.com
2022-11-19 19:00:14             kex: server: 
2022-11-19 19:00:14             kex: server: 
2022-11-19 19:00:14             kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
2022-11-19 19:00:14             kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2022-11-19 19:00:14             kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
2022-11-19 19:00:14             kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
2022-11-19 19:00:14             kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2022-11-19 19:00:14             kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2022-11-19 19:00:14             kex: client: zlib@openssh.com,zlib,none
2022-11-19 19:00:14             kex: client: zlib@openssh.com,zlib,none
2022-11-19 19:00:14             kex: client: 
2022-11-19 19:00:14             kex: client: 
2022-11-19 19:00:14             Disconnecting from <HOST>
Algorithm negotiation fail
com.uc4.ftpjob.DataTransferException: Connection exception.
	at com.uc4.transfer.CITSFTPImpl.<init>(CITSFTPImpl.java:175)
	at com.uc4.ftpjob.connections.ConnectionManager$1.run(ConnectionManager.java:87)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail
	at com.jcraft.jsch.Session.receive_kexinit(Session.java:590)
	at com.jcraft.jsch.Session.connect(Session.java:320)
	at com.jcraft.jsch.Session.connect(Session.java:183)
	at com.uc4.transfer.CITSFTPImpl.<init>(CITSFTPImpl.java:141)
	... 2 more

Any ideas on how to solve this problem?

We are running the RA-FTP Agent 12.3.9+hf.2.build.1665673213934.

Regards
M. :)

Krum Ganev posted Nov 21, 2022 10:56 AM

Hey there,

You did provided the RA Agent version but can you also provide the FTP Solution version?

Quick search prompted me this, it could solve your problem (as the info is quite scarce).

https://knowledge.broadcom.com/external/article/84578/agent-connection-aborts-with-algorithm-n.html

Martin Winkler posted Nov 21, 2022 03:20 PM

Hey there,

+ i already updatet the jsch to 0.1.55.

Regards
Martin

Siegfried Gyuricsko posted Feb 09, 2023 06:05 AM

We support a customer, which will soon face the same issue, because the external server will stop offering ssh-rsa and ecdsa-sha2-nistp521, leaving only ssh-ed-25519, rsa-sha2-512 and rsa-sha2-256, which won't match any host key algorithms in the RA FTP agent. The lastest version 4.1.1 of the RA FTP agent still uses the latest version 0.1.55 of Jcraft's Jsch (http://www.jcraft.com/jsch/).

Has Broadcom provided a solution to this issue for you, or have you implemented a workaround based on Curl or another tool?

Andreas Buesching posted Feb 09, 2023 06:52 AM

Hi,

Looks like there ist a maintained version of jsch at https://github.com/mwiede/jsch. Maybe it is an option for Broadcom to switch to that version.

kind regards

Andreas

Siegfried Gyuricsko posted Feb 14, 2023 10:10 AM

RA-FTP V4.1.2 which has been released today still uses the outdated V0.1.55 of Jsch. No solution from Broadcom in sight.

Broadcom Employee Michael Dolinek posted Feb 15, 2023 05:34 AM

Dear customers

Update

I am glad to announce that by the end of ~~May~~ 2023 a new version of the FTP agent will be available that will contain updated security libraries.

Upon request we can provide a beta version of the FTP agent. Please send an email to Automic Automation Product Management.

see also ideations https://community.broadcom.com/participate/ideation-home/viewidea?IdeationKey=FE3C64D1-AF4D-488C-82ED-B555E46CEA78 and https://community.broadcom.com/participate/ideation-home/viewidea?IdeationKey=B6BD3085-30EE-4957-BF0E-21EE4419C3B4

Olgun Onur Ozmen posted Oct 10, 2023 08:32 AM

Hi ,

idea link: JSCH does not support algorithms ed-25519, rsa-sha2-512 and rsa-sha2-256

I opened the case {Case#33465204} , case result : "engineering has confirmed the the new jsch fork version that would support these new key encriyptions will be added 21.0.8". than released 21.0.8 and no fix in it.

I mentioned this situation at automic office hours : they was told that it would arrive on 21.0.9 due to last minute problems.

After that I opened the case {Case#33539666} , case result: Hence, I am sorry but for now I cannot communicate an ETA of this new agent as this development has yet to be done. I can confirm that this is not yet available in the agent 21.0.9 for the reasons explained before.

It is constantly postponed and this lack of communication makes us tired. The fact that the ftp ra agent does not support the rsa-sha2-512 and rsa-sha-256 algorithms is considered a security vulnerability within the organization. And it is surprising that this problem has not been solved for years. We make plans within the company according to the words we receive from you. Can you please provide correct information?

Regards.