*Environment details:* *Server OS* : CentOS release 6.9 (Final)
$ ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 $ sshd -T port 22 protocol 2 addressfamily any listenaddress 0.0.0.0:22 listenaddress [::]:22 usepam yes serverkeybits 1024 logingracetime 120 keyregenerationinterval 3600 x11displayoffset 10 maxauthtries 6 maxsessions 10 clientaliveinterval 0 clientalivecountmax 3 permitrootlogin yes ignorerhosts yes ignoreuserknownhosts no rhostsrsaauthentication no hostbasedauthentication no hostbasedusesnamefrompacketonly no rsaauthentication yes pubkeyauthentication yes kerberosauthentication no kerberosorlocalpasswd yes kerberosticketcleanup yes gssapiauthentication yes gssapikeyexchange no gssapicleanupcredentials yes gssapistrictacceptorcheck yes gssapistorecredentialsonrekey no gssapikexalgorithms gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- passwordauthentication yes kbdinteractiveauthentication no challengeresponseauthentication no printmotd yes printlastlog yes x11forwarding yes x11uselocalhost yes strictmodes yes tcpkeepalive yes permitemptypasswords no permituserenvironment no uselogin no compression delayed gatewayports no showpatchlevel no usedns yes allowtcpforwarding yes allowagentforwarding yes useprivilegeseparation yes kerberosusekuserok yes pidfile /var/run/sshd.pid xauthlocation /usr/bin/xauth ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se macs hmac-md5,hmac-sha1,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 kexalgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 banner none authorizedkeysfile .ssh/authorized_keys authorizedkeysfile2 .ssh/authorized_keys2 loglevel DEBUG syslogfacility AUTHPRIV hostkey /etc/ssh/ssh_host_rsa_key hostkey /etc/ssh/ssh_host_dsa_key acceptenv LANG acceptenv LC_CTYPE acceptenv LC_NUMERIC acceptenv LC_TIME acceptenv LC_COLLATE acceptenv LC_MONETARY acceptenv LC_MESSAGES acceptenv LC_PAPER acceptenv LC_NAME acceptenv LC_ADDRESS acceptenv LC_TELEPHONE acceptenv LC_MEASUREMENT acceptenv LC_IDENTIFICATION acceptenv LC_ALL acceptenv LANGUAGE acceptenv XMODIFIERS subsystem sftp /usr/libexec/openssh/sftp-server maxstartups 10:30:100 permittunnel no permitopen any sshd-common : 2.6.0 sshd-core : 2.6.0 I am using Client protocol version 2.0; client software version APACHE- SSHD-2 <https://issues.apache.org/jira/browse/SSHD-2>.6.0 I am trying to ssh my server(RHEL6) using APACHE-SSHD-2 <https://issues.apache.org/jira/browse/SSHD-2>.6.0 using below code snippet. String send = "HOST:" + host + " " + command; InputStream inputStream = new ByteArrayInputStream(send.getBytes()); SshClient client = SshClient.setUpDefaultClient(); client.start(); ConnectFuture cf = client.connect(username, host, port); try (ClientSession session = cf.verify().getSession();) { session.addPublicKeyIdentity(loadKeypair(privateKey.getAbsolutePath())); session.auth().verify(defaultTimeoutSeconds, TimeUnit.SECONDS); This is working fine with RHEL8, Ubuntu14, Ubuntu16, Ubuntu18 but not working with RHEL6 and RHEL7, getting below exception. *unsupported public key algorithm: rsa-sha2-512* in sshd log Caused by: org.apache.sshd.common.SshException: No more authentication methods available at org.apache.sshd.common.future.AbstractSshFuture.verifyResult(AbstractSshFuture.java:126) at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:39) at org.apache.sshd.client.future.DefaultAuthFuture.verify(DefaultAuthFuture.java:32) at org.apache.sshd.common.future.VerifiableFuture.verify(VerifiableFuture.java:56) at com.zimbra.cs.rmgmt.RemoteManager.executeRemoteCommand(RemoteManager.java:170) at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:147) ... 70 more Caused by: org.apache.sshd.common.SshException: No more authentication methods available at org.apache.sshd.client.session.ClientUserAuthService.tryNext(ClientUserAuthService.java:342) at org.apache.sshd.client.session.ClientUserAuthService.processUserAuth(ClientUserAuthService.java:277) at org.apache.sshd.client.session.ClientUserAuthService.process(ClientUserAuthService.java:224) at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:502) at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:428) at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1463) at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:388) at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64) at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:358) at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:335) at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:332) at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38) at java.base/java.security.AccessController.doPrivileged(AccessController.java:312) at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37) at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127) at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219) at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) broken-relay2:# /usr/sbin/sshd -d debug1: sshd version OpenSSH_5.3p1 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from X.X.X.X port 55874 debug1: Client protocol version 2.0; client software version APACHE-SSHD-2.6.0 debug1: no match: APACHE-SSHD-2.6.0 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-ctr hmac-sha2-256 none debug1: kex: server->client aes128-ctr hmac-sha2-256 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user zimbra service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "zimbra" debug1: PAM: setting PAM_RHOST to "mail.example.com" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user zimbra service ssh-connection method publickey debug1: attempt 1 failures 0 userauth_pubkey: unsupported public key algorithm: rsa-sha2-512 Connection closed by X.X.X.X debug1: do_cleanup debug1: do_cleanup debug1: PAM: cleanup I found 2 solutions. *Solution 1:* I upgraded ssh on RHEL6 , it's working fine now. Before upgrade ssh version: $ ssh -V OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 After upgrade ssh version: $ ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 *Solution 2:* I changed the order of *SignatureFactoriesNameList*, it's working fine now. Changed order of rsa-sha2-512, rsa-sha2-256, ssh-rsa *Actual order:* ecdsa-sha2-nistp256-cert-...@openssh.com, ecdsa-sha2-nistp384-cert-...@openssh.com, ecdsa-sha2-nistp521-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com, rsa-sha2-256-cert-...@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp...@openssh.com,*rsa-sha2-512,rsa-sha2-256,ssh-rsa* *Changed order:* ecdsa-sha2-nistp256-cert-...@openssh.com, ecdsa-sha2-nistp384-cert-...@openssh.com, ecdsa-sha2-nistp521-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com, rsa-sha2-256-cert-...@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, sk-ecdsa-sha2-nistp...@openssh.com,*ssh-rsa,rsa-sha2-512,rsa-sha2-256* SshClient client = SshClient.setUpDefaultClient(); client.setSignatureFactoriesNameList("ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com,ssh-rsa,rsa-sha2-512,rsa-sha2-256"); *Solution 1* is good but not acceptable in my case, we can't ask our customers to upgrade server/system packages to make them compatible with Java SSH client. Please let me know the *solution 2* is a better approach or not, If not, why and what issues I am going to face with this change.
