Hi @Thejaswini ,
This error seems to be getting due to the incompatible algorithm.
Below are the key-exchanges, Host Keys, and cipher suites supported by IFS SFTP Connectors:
• SSH2 protocol support.
• Key exchange: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
• Cipher: blowfish-cbc,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-ctr,arcfour,arcfour128,arcfour256
• MAC: hmac-md5, hmac-sha1, hmac-md5-96, hmac-sha1-96
• Host key type: ssh-dss,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
• Userauth: password
• Userauth: publickey(DSA,RSA,ECDSA)
• Userauth: keyboard-interactive
• Userauth: gssapi-with-mic
Confirm above types are compatible with your SFTP server.
Thank you,
Aswin.
Hello Aswin,
Thank you for the response
Is there a way around if the above are not compatible with the SFTP server .
The Host key are not the same.
Regards
Thej
Not sure what your issue is here (and pardon me if I am explaining the obvious but...)
The KNOWN_HOSTS file is just a text file with an IP address, an encryption protocol to communicate with and the public key of the server you are trying to connect to. This ensures the initial connection is with the server you think it is. If anyone tries to spoof the connection it will fail.
Once you have made your connection you then need to authenticate with the SFTP server and this is were you normally put a username and password in the connector configuration screen in IFS.
All of this is driven from IFS i.e. you are either reading a file from an SFTP server outside of IFS in order to pull into IFS or else you are sending a file from IFS to an SFTP Server (again, outside of IFS).
I get the impression from your post that you are trying to get a third party to drop files onto IFS via SFTP? If that is the case none of the above will work. You need to set-up a separate SFTP server that will receive the files and then configure IFS to read those files from this server.
Thank you for the response.
The issue here is , the IFS and the SFTP Server host keys are not compatible and when creating the Known host file itself there is this issue and JSCh library prevents the creation of Known host file.
Yes, without known host file we cannot use SFTP connector in IFS and isn't feasible
While attempting to connect using WinSCP and transferring the file from the IFS server to the SFTP server works, probably need to automate the WINSCP
Any input to overcome the incompatibility between the host keys and any alternative option for this would be valuable.
Regards,
Thej
I have same issue on my case too. The third-party vendor will support one of the Host key algorithm:
• rsa-sha2-256.
• rsa-sha2-512.
• ssh-ed25519.
when I try to use winscp/FileZilla it uses ssh-ed25519. JSch too support check the attached document
is there a way to pass the hostkey algorithm when you create the host file
Do you have any other IFS to SFTP connections that work?
If not, it sounds like a very specific issue with your version of IFS and SFTP connection - sorry I can’t be of more help.
WinSCP is pretty powerful and, as long as you have the expertise, you can get some quite sophisticated PowerShell scripts working for moving files around. WinSCP provide template scripts that are pretty helpful.
Hello Ramesh,
As you mentioned , Yes JSCh and even third party Vendors supports :
- rsa-sha2-256.
- rsa-sha2-512.
- ssh-ed25519.
But IFS Confirmed that it uses only :
- ssh-dss
- ssh-rsa
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
and if JSCh is the SFTP client for IFS then this limitation shouldn't prevent us from creating KonwnHost files.
To answer this : is there a way to pass the hotkey algorithm when you create the host file
I have not explored this option , I will look into this and thank you for the suggestion.
Regards
Thej
Hello Andy ,
We do have SFTP connections working and yes the issue is only for this particular case.
Thank you for all the help and support:)
Regards
Thej
Hi Thejaswini,
This has been identified as an issue and a solution is being worked on. The fix will support additional SHA2 algorithms that are not currently supported by the IFS SFTP connector.
Thank you.
Dihan
Hi Thejaswini,
The correction with the support for additional SHA2 algorithms will be available in the following versions:
22.2.21 - 22R2 SU21
23.1.14 - 23R1 SU14
23.2.7 - 23R2 SU7
24.1.1 - 24R1 SU1
APP10UPD24
Regards,
Dihan
Hi @Dihan Perera
When you indicate that additional SHA2 algorithms are being supported in these versions, does this extend to the Known Host file creation?
I’m working with an SFTP that supports ssh-ed25519, however, when I generate the Known Host file using the method defined in the tech help, it generates ecdsa-sha2-nistp256.
This leads to an application message failure where the HostKey is rejected.
Thanks.
Hi @Dihan Perera
When you indicate that additional SHA2 algorithms are being supported in these versions, does this extend to the Known Host file creation?
I’m working with an SFTP that supports ssh-ed25519, however, when I generate the Known Host file using the method defined in the tech help, it generates ecdsa-sha2-nistp256.
This leads to an application message failure where the HostKey is rejected.
Thanks.
Hi @astfarazt
The Jsch library update only added rsa-sha2-256 and rsa-sha2-512 support. Currently ssh-ed25519 is not supported.
BR
Thanks @Dihan Perera. Is this on the radar to be supported in the future or does an idea need to be submitted?
Hi @astfarazt ,
I think it would be best to submit an idea to request support for ssh-ed25519.
Thanks
