[JSch-users] FIPS mode failure
Status: Alpha
Brought to you by:
ymnk
Menu
▾
▴
[JSch-users] FIPS mode failure
|
From: Scott S. <sc...@sm...> - 2015-03-13 16:44:06
|
Hi ymnk, Using 0.1.51, I am unable to connect to a CentOS6/RH6 Server setup in "FIPS compliance mode" (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html). When connecting, it fails with the following error: com.jcraft.jsch.JSchException: Session.connect: java.io.IOException: End of IO Stream Read at com.jcraft.jsch.Session.connect(Session.java:558) at JschApp.main(JschApp.java:56) In the server log: sshd[9303]: debug1: SSH2_MSG_KEXINIT received sshd[9303]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 sshd[9303]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss sshd[9303]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc sshd[9303]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc sshd[9303]: debug2: kex_parse_kexinit: hmac-sha1,hmac-sha2-256,hmac-sha2-512 sshd[9303]: debug2: kex_parse_kexinit: hmac-sha1,hmac-sha2-256,hmac-sha2-512 sshd[9303]: debug2: kex_parse_kexinit: none,zl...@op... sshd[9303]: debug2: kex_parse_kexinit: none,zl...@op... sshd[9303]: debug2: kex_parse_kexinit: sshd[9303]: debug2: kex_parse_kexinit: sshd[9303]: debug2: kex_parse_kexinit: first_kex_follows 0 sshd[9303]: debug2: kex_parse_kexinit: reserved 0 sshd[9303]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1 sshd[9303]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss sshd[9303]: debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc sshd[9303]: debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc sshd[9303]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96 sshd[9303]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96 sshd[9303]: debug2: kex_parse_kexinit: none sshd[9303]: debug2: kex_parse_kexinit: none sshd[9303]: debug2: kex_parse_kexinit: sshd[9303]: debug2: kex_parse_kexinit: sshd[9303]: debug2: kex_parse_kexinit: first_kex_follows 0 sshd[9303]: debug2: kex_parse_kexinit: reserved 0 sshd[9303]: debug2: mac_setup: found hmac-sha1 sshd[9303]: debug1: kex: client->server aes128-ctr hmac-sha1 none sshd[9303]: debug3: mm_request_send entering: type 78 sshd[9303]: debug3: mm_request_receive_expect entering: type 79 sshd[9303]: debug3: mm_request_receive entering sshd[9299]: debug3: monitor_read: checking request 78 sshd[9299]: debug3: mm_request_send entering: type 79 sshd[9299]: debug3: mm_request_receive entering sshd[9303]: debug2: mac_setup: found hmac-sha1 sshd[9303]: debug1: kex: server->client aes128-ctr hmac-sha1 none sshd[9303]: debug3: mm_request_send entering: type 78 sshd[9303]: debug3: mm_request_receive_expect entering: type 79 sshd[9303]: debug3: mm_request_receive entering sshd[9299]: debug3: monitor_read: checking request 78 sshd[9299]: debug3: mm_request_send entering: type 79 sshd[9299]: debug3: mm_request_receive entering sshd[9303]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received sshd[9303]: debug3: mm_request_send entering: type 0 sshd[9303]: debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI sshd[9303]: debug3: mm_request_receive_expect entering: type 1 sshd[9303]: debug3: mm_request_receive entering sshd[9299]: debug3: monitor_read: checking request 0 sshd[9299]: debug3: mm_answer_moduli: got parameters: 2048 2048 1024 sshd[9299]: fatal: mm_answer_moduli: bad parameters: 2048 2048 1024 sshd[9299]: debug1: do_cleanup Using either diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256 fails with FIPS enabled, but succeeds with FIPS disabled. Using either with the OpenSSH client works fine. On a side note, IF the client is using Java 8, I am able to connect with JSch, as it is able to use diffie-hellman-group14-sha1 successfully. Does the server output give you any ideas what may be the issue? Thank you in advance. - Scott |
