SSH Key Negotiation Error

scottrichardmcleod_yahoo.com · October 28, 2021, 2:00pm

Im trying to connect to a 3rd party tools SFTP site using the SSH Connector. Getting one of the pesky Unable to Negotiate Key errors. Its a 3rd party site so I can’t change their supported methods. Is there any way to add a methord to Knimes supported methods.

My specific error for client side and server side are this:

Unable to negotiate key exchange for kex algorithms (client: ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group18-sha512,diffie-hellman-group17-sha512,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256 / server: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1) (SshException)

bruno29a · October 28, 2021, 2:37pm

Hi @scottrichardmcleod_yahoo.com , normally you want to move to anything higher than sha1 encryption for security reasons, so new versions of ssh clients, including Knime’s ssh connector would not be using it.

That being said, I can’t see where in the node’s configuration you can set that up. You can try using the Legacy connector to see if it was supporting it, but I doubt it since the Legacy nodes are not that old.

If it’s not possible for the server to change their cryptography, you may need to download the files manually as a separate task, and then have Knime process the downloaded files.

You can always connect to the server via the command line like this:
ssh -o KexAlgorithms=diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 your_user@the_ssh_host

bruno29a · October 28, 2021, 2:58pm

Hi @scottrichardmcleod_yahoo.com , one thing you may try is to configure your system’s ssh and add the algorithm as an option there.

In Linux for example, you can find this in the .ssh/config file in your home directory. You would add something like this:

Host the_ssh_host
	KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

This would add (hence the “+” sign) support for these Kex algorithm, and it would add it only for that host - for security reasons, you want to limit this to this host only.

I’m not sure how to do this in Windows. I think OpenSSH is the native ssh client, so you would have to install this, and probably the config file would be in %USER%/.ssh/config if we want the equivalent of the Linux config file.

This, in theory, would allow any clients, including Knime, to connect via SSH to that host using these algorithms.

scottrichardmcleod_yahoo.com · October 28, 2021, 4:11pm

I can add the methods to the user/.ssh/config file and it works fine from the command line. And I can see the correct values have been read by KNIME at startup. However the SSH Connection node seems to be ignoring those because it throws the same error. The values from the screen below are now shown in the list of client side option still.

bruno29a · October 28, 2021, 5:20pm

Hi @scottrichardmcleod_yahoo.com , can you uncheck the sha256 one? This should only be done temporarily though, just to test this connection.

system · April 29, 2022, 5:20am

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.