问题描述
在 2.6.0 版中使用 Mina SSHD(用于 SFTP)时,diffie-hellman SHA1 的 KEX 已被删除(应该如此),但在我的设置中,我需要能够允许此功能以实现向后功能。
我可以看到,当我尝试连接到服务器时,我收到一个异常:Unable to negotiate key exchange for KEX algorithms (client: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256 / server: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1) 当服务器只接受旧的 SHA1 时,正如预期的那样。
在 Mina 代码 BaseBuilder.java 中,我可以看到旧 KEX 已从默认 KEX 中删除:DEFAULT_KEX_PREFERENCE。我试图通过像这样覆盖 KEX 工厂(使用与 Mina 本身相同的功能)在我的应用程序中添加两个缺失的 KEX:
// Default client
val internalSshClient = SshClient.setUpDefaultClient()
// Set additional KEXs
val unsafeKexList: util.ArrayList[BuiltinDHFactories] = new util.ArrayList[BuiltinDHFactories](BaseBuilder.DEFAULT_KEX_PREFERENCE)
unsafeKexList.add(BuiltinDHFactories.dhg14)
unsafeKexList.add(BuiltinDHFactories.dhg1)
internalSshClient.setKeyExchangeFactories(NamedFactory.setUpTransformedFactories(true,unsafeKexList,ClientBuilder.DH2KEX))
然后当我遍历创建的 ssh 会话 KEX 时,我得到了这个:
sshClientSession.getKeyExchangeFactories.asScala.foreach(kex => {
println(s"Client session KEX: ${kex.getName}")
})
// Client session KEX: ecdh-sha2-nistp521
// Client session KEX: ecdh-sha2-nistp384
// Client session KEX: ecdh-sha2-nistp256
// Client session KEX: diffie-hellman-group-exchange-sha256
// Client session KEX: diffie-hellman-group18-sha512
// Client session KEX: diffie-hellman-group17-sha512
// Client session KEX: diffie-hellman-group16-sha512
// Client session KEX: diffie-hellman-group15-sha512
// Client session KEX: diffie-hellman-group14-sha256
// Client session KEX: diffie-hellman-group14-sha1
// Client session KEX: diffie-hellman-group1-sha1
但是连接仍然失败,除了我的客户端不提供服务器支持的任何 KEX。我在 Mina 上找不到关于此问题的任何其他文档,也看不出我可能遗漏了什么。
解决方法
解决方案只需在实例化sshd/sftp客户端后添加以下代码行
SshClient client = ...
final List<KeyExchangeFactory> unsupportedKeyExchangeList = NamedFactory.setUpTransformedFactories(false,BuiltinDHFactories.VALUES,ClientBuilder.DH2KEX);
client.setKeyExchangeFactories(unsupportedKeyExchangeList);
说明 对比 2.5.1 和 2.7.0 后,Mina SSHD 的团队好像忘记添加 3 个 Key KeyExchanges ^_^
v2.7.0 默认支持 KeyExchange
0 = {DHGClient$1@3636} "NamedFactory<KeyExchange>[ecdh-sha2-nistp521]"
1 = {DHGClient$1@3637} "NamedFactory<KeyExchange>[ecdh-sha2-nistp384]"
2 = {DHGClient$1@3638} "NamedFactory<KeyExchange>[ecdh-sha2-nistp256]"
3 = {DHGEXClient$1@3639} "NamedFactory<KeyExchange>[diffie-hellman-group-exchange-sha256]"
4 = {DHGClient$1@3640} "NamedFactory<KeyExchange>[diffie-hellman-group18-sha512]"
5 = {DHGClient$1@3641} "NamedFactory<KeyExchange>[diffie-hellman-group17-sha512]"
6 = {DHGClient$1@3642} "NamedFactory<KeyExchange>[diffie-hellman-group16-sha512]"
7 = {DHGClient$1@3643} "NamedFactory<KeyExchange>[diffie-hellman-group15-sha512]"
8 = {DHGClient$1@3644} "NamedFactory<KeyExchange>[diffie-hellman-group14-sha256]"
在 v2.5.1 中支持以上项目,包括以下 3 个。
9 = {DHGEXClient$1@4216} "NamedFactory<KeyExchange>[diffie-hellman-group-exchange-sha1]"
10 = {DHGClient$1@4222} "NamedFactory<KeyExchange>[diffie-hellman-group14-sha1]"
11 = {DHGClient$1@4223} "NamedFactory<KeyExchange>[diffie-hellman-group1-sha1]"