我们有一个构建脚本,它使用Ant <scp>任务将文件上传到Mac服务器。运行OSX 10.8(Mountain Lion)的服务器已经运行了一年或更长时间,但我们最近将其升级到OSX 10.11(El Capitan),现在<scp>任务因此异常而失败:
com.jcraft.jsch.JSchException: Algorithm negotiation fail
打开详细模式,日志如下所示:
[scp] Connecting to **SERVER-ADDRESS**:2220
[scp] Connecting to **SERVER-ADDRESS** port 2220
[scp] Connection established
[scp] Remote version string: SSH-2.0-OpenSSH_6.9
[scp] Local version string: SSH-2.0-JSCH-0.1.51
[scp] CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
[scp] CheckKexes: diffie-hellman-group14-sha1
[scp] diffie-hellman-group14-sha1 is not available.
[scp] SSH_MSG_KEXINIT sent
[scp] SSH_MSG_KEXINIT received
[scp] kex: server: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
[scp] kex: server: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
[scp] kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[scp] kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[scp] kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[scp] kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[scp] kex: server: none,zlib@openssh.com
[scp] kex: server: none,zlib@openssh.com
[scp] kex: server:
[scp] kex: server:
[scp] kex: client: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
[scp] kex: client: ssh-rsa,ssh-dss
[scp] kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
[scp] kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
[scp] kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
[scp] kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
[scp] kex: client: none
[scp] kex: client: none
[scp] kex: client:
[scp] kex: client:
[scp] Disconnecting from **SERVER-ADDRESS** port 2220
所以问题是客户端和服务器都不支持单个算法,正如在这个类似的SO帖子中所讨论的那样:JSchException: Algorithm negotiation fail和其他各种地方。但是,从日志中我看起来像客户端和服务器做都支持至少一种算法,即&#34; aes128-ctr&#34;:
[scp] kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
和
[scp] kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
所以我不明白为什么他们无法协商算法,但即便如此,我还是按照其他SO问题的建议安装了JCE Unlimited Strength Jurisdiction Policy文件 - 你可以看到以上客户端现在支持256位算法的行。这并没有什么不同,大概是因为服务器支持&#34; aes256-ctr&#34;并且客户支持&#34; aes256-cbc&#34;。但我仍然不明白为什么它不能使用&#34; aes128-ctr&#34;
请注意,客户端计算机正在运行Windows,所以基于我在其他地方读到的内容(无法准确记住位置),我还尝试清除Putty的SSH密钥缓存 - 这也没有区别(不是我期待它 - 我现在只是尝试一下......)
令人沮丧的是,看起来这个SO帖子 - Algorithm negotiation fail deploying iOS app in OSX "El Capitan" - 处理同样的问题,并且有一个解决方案,但回答者只是说他的产品中的问题已得到修复,但没有解释修复的内容,而且我没有足够的声誉来发表评论,要求提供更多细节
答案 0 :(得分:0)
算法协商不仅涉及密码,还涉及密钥交换和MAC。您没有任何通用密钥交换算法:
required客户端设置非常小。您可能必须在客户端允许额外的Kex方法。