SSH Security information

sFTP Crypto Algorithms

Using SSH you can run into certain crypto issues. Since ConnectPlaza 4.4.0, certain ciphers such as (3)DES and hashing algorithms such as SHA1 are no longer supported, due to their insecure nature. If certain connections to (older) SFTP servers require the use of these deprecated algorithms, you may need to override these settings.

For more information about SSH Security and its options, follow this link

You can modify the used SSH Ciphers, Server Host Key and Key Exchange settings by overriding the default settings using properties in the <connectplaza-install-directory>/conf/ file. This file can be edited manually. Please refer to your server’s supported list of ciphers and algorithms.

Please note: these adjustments are Agent wide and will affect all (!) SFTP based connections.

SSH Server Host Key: connectplaza.process.jvm.arg.jsch.server_host_key = -Djsch.server_host_key=[your algoritms]

SSH Server Key Exchange: connectplaza.process.jvm.arg.jsch.kex = -Djsch.kex=[your algoritms]

SSH Server Ciphers: connectplaza.process.jvm.arg.jsch.cipher = -Djsch.cipher=[your ciphers]

Please see this page for all options and their settings.

Finding the ciphers

To find the correct settings, you have to check your log files. The JSCH Client throws an exception with some important information, like:

  • jsch-proposal --> The algorithms or ciphers supported by JSCH
  • server-proposal --> The algorithms or ciphers offered by the server

This will give you the answers to the missing algorithm or cipher.

For instance you are connecting to an outgoing sFTP service. In your logfile you see an error like this:

com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName="server_host_key" jschProposal="ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256" serverProposal="ssh-rsa,ssh-dss"

You see that in the serverProposal the ciphers which the sFTP server supports. In the jschProposal, your site of the connection, you do not support these ciphers. So you cannot connect.

To fix this, you have to add, in this case, the ssh-rsa and ssh-dss cipers (or at least one of them) to your connectplaza.process.jvm.arg.jsch.server_host_key. Like this:

connectplaza.process.jvm.arg.jsch.server_host_key = -Djsch.server_host_key=ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss