Qlik Talend Studio: Expanding your SFTP security algorithms

TalendSolutionExpert — Thu, 29 Aug 2024 07:50:29 GMT

After the R2022-07 release, the tFTPConnection component behavior changed slightly. Jobs and components created before R2022-07 can still connect to SFTP servers; however, new connections and components can fail.

This release updated the underlying library to support more secure algorithms. However, along with expanding the security algorithms, it disabled some of the older ones that were considered insecure.

Resolution

Upgrade the server to support more secure algorithms.

Use Log4j debug logs to analyze the communications between the client and the server. Your Log4j debug log may contain the following lines:

kex: server: ssh-dss,ssh-rsa
kex: client: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

You must enable the server's algorithm if you don't have it.

The newer version of the library displays the following exception message:

com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName="server_host_key" jschProposal="ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256" serverProposal="ssh-dss,ssh-rsa"

To override the existing library with the new version, follow the Overriding a database driver by customizing the Maven URI instructions available in the Talend Help Center. Upgrading the library adds either ssh-dss or ssh-rsa to the server_host_key parameter, making the error message more readable and interpretable.

During the upgrade, the following code is configured to meet maximum backward compatibility:

kex    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
server_host_key    ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
cipher.s2c    aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com
cipher.c2s    aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com
mac.s2c    hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512
mac.c2s    hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512

To enable the missing insecure algorithms in the tFTPConnection component, configure the Advanced Settings tab by adding the code under the Config client check box. Verify that the code looks similar to the screenshot:

If you are using a public key, you may also need to add the following additional parameter:

Client Parameter: "PubkeyAcceptedKeyTypes"
Value: "ssh-rsa"
or
Value: "ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"

article Qlik Talend Studio: Expanding your SFTP security algorithms in Official Support Articles

Qlik Talend Studio: Expanding your SFTP security algorithms

Resolution

Environment