Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
After the R2022-07 release, the tFTPConnection component behavior changed slightly. Jobs and components created before R2022-07 can still connect to SFTP servers; however, new connections and components can fail.
This release updated the underlying library to support more secure algorithms. However, along with expanding the security algorithms, it disabled some of the older ones that were considered insecure.
Resolution
Upgrade the server to support more secure algorithms.
Use Log4j debug logs to analyze the communications between the client and the server. Your Log4j debug log may contain the following lines:
kex: server: ssh-dss,ssh-rsa kex: client: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
You must enable the server's algorithm if you don't have it.
The newer version of the library displays the following exception message:
com.jcraft.jsch.JSchAlgoNegoFailException: Algorithm negotiation fail: algorithmName="server_host_key" jschProposal="ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256" serverProposal="ssh-dss,ssh-rsa"
To override the existing library with the new version, follow the Overriding a database driver by customizing the Maven URI instructions available in the Talend Help Center. Upgrading the library adds either ssh-dss or ssh-rsa to the server_host_key parameter, making the error message more readable and interpretable.
During the upgrade, the following code is configured to meet maximum backward compatibility:
kex ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 server_host_key ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256 cipher.s2c aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com cipher.c2s aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com mac.s2c hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512 mac.c2s hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512
To enable the missing insecure algorithms in the tFTPConnection component, configure the Advanced Settings tab by adding the code under the Config client check box. Verify that the code looks similar to the screenshot:
If you are using a public key, you may also need to add the following additional parameter:
Client Parameter: "PubkeyAcceptedKeyTypes"
Value: "ssh-rsa"
or
Value: "ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"
