Starting version 6.3.0. of CloverDX we replaced the library com.jcraft:jsch with com.github.mwiede:jsch, which resulted in disabling the SSH-rsa algorithm by default. That can impact your connection with SFTP server that is using the SSH-rsa security algorithm.
It is possible to re-enable the algorithm, but it is important to note that SSH-rsa was deprecated due to its use of the SHA-1 hash algorithm. SHA-1 hashing has been deemed insecure, so we advise avoiding using it.
Example of error message
Algorithm negotiation fail: algorithmName="server_host_key" jschProposal="ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256" serverProposal="ssh-rsa"
The jschProposal and serverProposal parameters may differ in your environment. When enabling ssh-rsa via JVM argument (described below), you should always add the serverProposal value(s) to the jschProposal and use all the values in your configuration.
This article shows configuration using these example values.
How to enable SSH-rsa via OpenSSH config file
If you're utilizing the OpenSSH client and have configured CloverDX to use the OpenSSH configuration file, you can enable the use of old RSA keys for OpenSSH 8.8+ by adding the following lines to your sshd_config file:
Host *
HostKeyAlgorithms +ssh-rsa
If you want to specify hosts on which you want to enable the SSH-rsa algorithm, replace the asterisk with correct host or IP address.
If you're not utilizing the OpenSSH client, you can still use this solution, do as follows:
- Create a new file and name it sshd_config.
- To that file write the following:
Host *
HostKeyAlgorithms +ssh-rsa - Open CloverDX Designer.
- Goto Window > Preferences > CloverDX
- Tick the checkbox “Use OpenSSH config file” and set the path to the sshd_config file you created.
How to enable SSH-rsa via JVM argument
-Djsch.server_host_key=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
CloverDX Designer
To re-enable the SSH-rsa protocol in CloverDX Designer it is required to set the following property:
-Djsch.server_host_key=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
To ensure the accessibility of remote files secured with the SSH-rsa algorithm via the URL dialog window, you need to set this property within the Eclipse settings. These settings are stored in the CloverDXDesigner.ini file.
In OS Windows the default location is:
C:\Program Files\CloverDX Designer
The definition could look like this:
Note that changes in the CloverDXDesigner.ini require a restart to take effect.
The next step is to allow the SSH-rsa protocol for the Runtime. The CloverDX Designer Runtime is a simplified server instance for graph executions in local environments.
We enable this property for the Runtime in the In the VM arguments in Preferences > CloverDX > CloverDX Runtime.
After saving changes the runtime restart is required.
How to enable SSH-rsa in Server Core and Worker
To enable ssh-rsa for the Worker you can simply go to the CloverDX Server console.
Choose Configuration > Setup > Worker and put the following property into the JVM Arguments textbox:
-Djsch.server_host_key=ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
Restart of the Worker is required.
To enable the SSH-rsa algorithm for the Server Core you need to paste the property into the setenv.bat file (or setenv.sh in Linux) as JAVA_OPTS property and then restart the Tomcat/CloverDX Server.
Default location is:
\{TomcatHome}\bin\setenv.bat
The result:
CloverDX Server/Tomcat as a Service
If you are running CloverDX Server as a Service, you need to set the property in Java Options in Tomcat9 properties.
Find and execute Tomcat9w.exe.
By default, the location is:
\Apache Software Foundation\Tomcat 9.0\bin\Tomcat9w.exe
Go to Java and add the property in Java Options Text block.
Comments 0