Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please add modern ssh algos #902

Closed
bol-van opened this issue Sep 5, 2021 · 17 comments
Closed

Please add modern ssh algos #902

bol-van opened this issue Sep 5, 2021 · 17 comments

Comments

@bol-van
Copy link

bol-van commented Sep 5, 2021

Gps logger offers only working ssh-rsa and some nonworking nistp as a host key algo
openssh will soon depricate ssh-rsa and disable it by default
@mendhak
Copy link
Owner

mendhak commented Sep 13, 2021
edited
Loading

Yes good point - looks like the original library jsch, which is what's used for the SFTP connection, isn't maintained anymore.

I did find this repo which is supposed to be a drop-in replacement: https://github.com/mwiede/jsch
Could you have a look at the README and see if it mentions some of the algorithms you're after?

I do see a note about some of the algorithms which I'm not so sure about:

Are ssh-ed25519, ssh-ed448, curve25519-sha256, curve448-sha512 & [email protected] supported?

This library is a Multi-Release-jar, which means that you can only use certain features when a more recent Java version is used.
In order to use ssh-ed25519 & ssh-ed448, you must use at least Java 15.
In order to use curve25519-sha256, curve448-sha512 & [email protected], you must use at least Java 11.
As of the 0.1.66 release, these algorithms can now be used with older Java releases if Bouncy Castle (bcprov-jdk15on) is added to the classpath.

@bol-van
Copy link
Author

bol-van commented Sep 14, 2021

Yes readme mentions modern algorithms. I'm not sure if they work on different android versions because of java version requirements

mendhak added a commit that referenced this issue Sep 14, 2021
@mendhak
Replace unmtaintained jsch library with maintained mwiede jsch version.
01655b8 
Issue #902
@mendhak
Copy link
Owner

mendhak commented Sep 14, 2021
edited
Loading

@bol-van what's a good way to test this?

I've replaced the unmaintained jsch with the version that I linked and done some testing of functionality, it does seem to work as expected, the auto send feature I mean.

What I can't tell is whether it will work with the modern algorithms you're mentioning. Do you have a way to test it? I'm actually going to release this in the next F-Droid update.

I use a test SFTP docker container. The kexalgorithms that it supports are

$ ssh -G -p 2999 192.168.50.108 | grep -i kex
kexalgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

What I can't tell is whether it's using any of the ones you're thinking of or if there's a definitive way to force a specific algorithm. If you know any servers you test against let me know.

@mendhak
Copy link
Owner

mendhak commented Sep 14, 2021

Sorry scratch that - I think a bit more testing is required with this library, so it will not be in release 116.

@mendhak
Copy link
Owner

mendhak commented Sep 14, 2021

I tried testing on older Android versions and I was running into some Algorithm Negotiation Failed, and some No Such Algorithm errors. The 2nd one will need some investigating to see, what do I need to set, for different OSes perhaps. Basically on older Androids I could conditionally allow some of the older insecure algorithms.

For example:

session.setConfig("kex", "ssh-rsa,ssh-dss,aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,"+ session.getConfig("kex"));

Also there are various flags in the README https://github.com/mwiede/jsch

@bol-van
Copy link
Author

bol-van commented Sep 15, 2021

i think you should setup a linux vm with openssh . you can contol available algs in /etc/ssh/sshd_config and monitor errors in syslog

@bol-van
Copy link
Author

bol-van commented Sep 15, 2021

Here is my server (sshd_config) algo setup for openssh

KexAlgorithms curve25519-sha256,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],aes256-ctr
MACs hmac-sha2-512,hmac-sha2-256
HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512

@mendhak
Copy link
Owner

mendhak commented Sep 16, 2021

I had a go at this and it's like a whole new world of stuff I don't know about. The first problem I hit is that right away, Android 4.4 couldn't connect to the Ubuntu 20.04 SSH server. I didn't even make changes to the server, but with the new library it couldn't connect. It was able to connect with the old library. That's mystifying me because I'd expect if Old Android + Old Library could connect to modern Ubuntu, then Old Android + New Library would also connect to modern Ubuntu.

I've tried troubleshooting a lot over the past few days but have to pause it for now as I'm getting nowhere. I'm going to leave some notes here for when I can pick this up again or in case someone can spot what the problem could be.

First I replaced the old library in build.gradle:

    implementation group: 'com.jcraft', name: 'jsch', version: '0.1.54'
    implementation group: 'com.jcraft', name: 'jzlib', version: '1.1.3'

with this:

    implementation 'com.github.mwiede:jsch:0.1.58'
    implementation 'com.madgag.spongycastle:core:1.58.0.0'
    implementation 'com.madgag.spongycastle:prov:1.58.0.0'
    implementation 'com.madgag.spongycastle:bcpkix-jdk15on:1.58.0.0'
    implementation 'com.madgag.spongycastle:bcpg-jdk15on:1.58.0.0'

The first line is the new jsch library, and the other 4 are SpongyCastle. The problem happened even without SpongyCastle.

Then I added this in the SftpJob.java class, supposedly this SpongyCastle bit should be providing modern algorithms for jsch to use. It made no difference if this line was there or not, it still failed.

    static{
        Security.insertProviderAt(new org.spongycastle.jce.provider.BouncyCastleProvider(), 1);
    }

The connection fails and I captured the log output from jsch.

2021-09-16 17:35:20.058 3543-3644/com.mendhak.gpslogger D/SFTPJob: onRun:87 - Connecting...
2021-09-16 17:35:20.058 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - Connecting to 192.168.50.108 port 2999
2021-09-16 17:35:20.058 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - Connection established
2021-09-16 17:35:20.066 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - Remote version string: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
2021-09-16 17:35:20.066 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - Local version string: SSH-2.0-JSCH-0.0
2021-09-16 17:35:20.066 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - CheckCiphers: [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
2021-09-16 17:35:20.066 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - [email protected] is not available.
2021-09-16 17:35:20.066 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - [email protected] is not available.
2021-09-16 17:35:20.066 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - CheckMacs: [email protected],[email protected],,hmac-sha2-256,hmac-sha2-512
2021-09-16 17:35:20.066 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 -  is not available.
2021-09-16 17:35:20.066 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - CheckKexes: curve25519-sha256,[email protected],diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - curve25519-sha256 is not available.
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - [email protected] is not available.
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - CheckSignatures: rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - SSH_MSG_KEXINIT sent
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - SSH_MSG_KEXINIT received
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
2021-09-16 17:35:20.930 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: none,[email protected]
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: none,[email protected]
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: 
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server: 
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,rsa-sha2-512,ssh-rsa
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: aes128-ctr,aes192-ctr,aes256-ctr
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: aes128-ctr,aes192-ctr,aes256-ctr
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: none
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: none
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: 
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client: 
2021-09-16 17:35:20.934 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: algorithm: ecdh-sha2-nistp256
2021-09-16 17:35:20.942 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: host key algorithm: ecdsa-sha2-nistp256
2021-09-16 17:35:20.942 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none
2021-09-16 17:35:20.942 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none
2021-09-16 17:35:20.942 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - SSH_MSG_KEX_ECDH_INIT sent
2021-09-16 17:35:20.942 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - expecting SSH_MSG_KEX_ECDH_REPLY
2021-09-16 17:35:20.946 3543-3644/com.mendhak.gpslogger D/SFTPJob: log:169 - Disconnecting from 192.168.50.108 port 2999
2021-09-16 17:35:20.946 3543-3644/com.mendhak.gpslogger E/SFTPJob: onRun:116 - Session.connect: java.security.NoSuchAlgorithmException: AlgorithmParameters EC implementation not found
    com.jcraft.jsch.JSchException: Session.connect: java.security.NoSuchAlgorithmException: AlgorithmParameters EC implementation not found
    	at com.jcraft.jsch.Session.connect(Session.java:568) ~[na:0.0]
    	at com.jcraft.jsch.Session.connect(Session.java:186) ~[na:0.0]
    	at com.mendhak.gpslogger.senders.sftp.SFTPJob.onRun(SFTPJob.java:88) ~[na:0.0]
    	at com.birbit.android.jobqueue.Job.safeRun(Job.java:229) ~[na:0.0]
    	at com.birbit.android.jobqueue.JobHolder.safeRun(JobHolder.java:132) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer.handleRunJob(ConsumerManager.java:407) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer.access$000(ConsumerManager.java:326) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer$2.handleMessage(ConsumerManager.java:354) ~[na:0.0]
    	at com.birbit.android.jobqueue.messaging.SafeMessageQueue.consume(SafeMessageQueue.java:36) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer.run(ConsumerManager.java:389) ~[na:0.0]
    	at java.lang.Thread.run(Thread.java:841) ~[na:0.0]
2021-09-16 17:35:20.946 3543-3644/com.mendhak.gpslogger E/AppSettings: e:97 - error while executing job com.mendhak.gpslogger.senders.sftp.SFTPJob@53118920
    com.jcraft.jsch.JSchException: Session.connect: java.security.NoSuchAlgorithmException: AlgorithmParameters EC implementation not found
    	at com.jcraft.jsch.Session.connect(Session.java:568) ~[na:0.0]
    	at com.jcraft.jsch.Session.connect(Session.java:186) ~[na:0.0]
    	at com.mendhak.gpslogger.senders.sftp.SFTPJob.onRun(SFTPJob.java:88) ~[na:0.0]
    	at com.birbit.android.jobqueue.Job.safeRun(Job.java:229) ~[na:0.0]
    	at com.birbit.android.jobqueue.JobHolder.safeRun(JobHolder.java:132) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer.handleRunJob(ConsumerManager.java:407) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer.access$000(ConsumerManager.java:326) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer$2.handleMessage(ConsumerManager.java:354) ~[na:0.0]
    	at com.birbit.android.jobqueue.messaging.SafeMessageQueue.consume(SafeMessageQueue.java:36) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer.run(ConsumerManager.java:389) ~[na:0.0]
    	at java.lang.Thread.run(Thread.java:841) ~[na:0.0]
2021-09-16 17:35:20.946 3543-3644/com.mendhak.gpslogger E/SFTPJob: shouldReRunOnThrowable:144 - Could not upload to SFTP server
    com.jcraft.jsch.JSchException: Session.connect: java.security.NoSuchAlgorithmException: AlgorithmParameters EC implementation not found
    	at com.jcraft.jsch.Session.connect(Session.java:568) ~[na:0.0]
    	at com.jcraft.jsch.Session.connect(Session.java:186) ~[na:0.0]
    	at com.mendhak.gpslogger.senders.sftp.SFTPJob.onRun(SFTPJob.java:88) ~[na:0.0]
    	at com.birbit.android.jobqueue.Job.safeRun(Job.java:229) ~[na:0.0]
    	at com.birbit.android.jobqueue.JobHolder.safeRun(JobHolder.java:132) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer.handleRunJob(ConsumerManager.java:407) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer.access$000(ConsumerManager.java:326) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer$2.handleMessage(ConsumerManager.java:354) ~[na:0.0]
    	at com.birbit.android.jobqueue.messaging.SafeMessageQueue.consume(SafeMessageQueue.java:36) ~[na:0.0]
    	at com.birbit.android.jobqueue.ConsumerManager$Consumer.run(ConsumerManager.java:389) ~[na:0.0]
    	at java.lang.Thread.run(Thread.java:841) ~[na:0.0]

I switched back to the old library, and the connection worked fine. The logging code for it shows this

2021-09-16 16:48:40.938 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - Connecting to 192.168.50.108 port 2999
2021-09-16 16:48:40.938 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - Connection established
2021-09-16 16:48:40.946 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - Remote version string: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
2021-09-16 16:48:40.946 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - Local version string: SSH-2.0-JSCH-0.1.54
2021-09-16 16:48:40.946 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
2021-09-16 16:48:40.946 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - SSH_MSG_KEXINIT sent
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - SSH_MSG_KEXINIT received
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: none,[email protected]
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: none,[email protected]
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: 
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server: 
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
2021-09-16 16:48:40.998 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: none
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: none
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: 
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client: 
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: server->client aes128-ctr hmac-sha1 none
2021-09-16 16:48:41.002 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - kex: client->server aes128-ctr hmac-sha1 none
2021-09-16 16:48:41.006 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - SSH_MSG_KEX_ECDH_INIT sent
2021-09-16 16:48:41.006 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - expecting SSH_MSG_KEX_ECDH_REPLY
2021-09-16 16:48:41.014 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - ssh_rsa_verify: signature true
2021-09-16 16:48:41.014 3031-3086/com.mendhak.gpslogger D/SFTPJob: log:168 - Host '192.168.50.108' is known and matches the RSA host key

@bol-van
Copy link
Author

bol-van commented Sep 17, 2021
edited
Loading

From the log I see that it prefers nistp key exchange algo which is broken in jsch (or requires additional initializations, i dont know)
New jsch has compatible algo that would work but it prefers nistp : AlgorithmParameters EC implementation not found
Can you control algo preference order ?
Nistp is not recommended because its coming from NSA and may have backdoor

@mendhak
Copy link
Owner

mendhak commented Sep 19, 2021

Progress has been made!

To make use of the latest version of the jsch library I had to update the Android Gradle Plugin to 7.0.2

classpath 'com.android.tools.build:gradle:7.0.2'

And the Gradle tool to 7.0.2

distributionUrl=https\://services.gradle.org/distributions/gradle-7.0.2-bin.zip

And ensure that the project's JDK was set to at least version 11.

With this, the older Android 4.4 was able to connect to the default Ubuntu 20.04 SSH server.

@mendhak
Copy link
Owner

mendhak commented Sep 19, 2021
edited
Loading

I've also added the BouncyCastle library, so the app should be able to connect to more modern setups.

On my test SSH server, in /etc/ssh/sshd_config I applied the lines you gave

KexAlgorithms curve25519-sha256,diffie-hellman-group-exchange-sha256
Ciphers [email protected],[email protected],aes256-ctr
MACs hmac-sha2-512,hmac-sha2-256
HostKeyAlgorithms ssh-ed25519,rsa-sha2-256,rsa-sha2-512

And I was able to connect and test uploads, even on older Android 4.4! 😄

Anyway I think some testing is required now. I've got a test APK here: gpslogger-116-issue902-ssh.zip

It would be useful if you could try it out as well, but important note: it isn't compatible with the FDroid version. That means if you install this APK you will lose all your previous GPSLogger files and data.

@mendhak
Copy link
Owner

mendhak commented Sep 19, 2021
edited
Loading

Strangely I was also able to also generate the new format Openssh private key (ssh-keygen -t ed25519), with passphrase, and use that to connect to the server. I said strange because this issue says the new key format is not supported. So I wonder why it's working.

Edit: I found the commit where they added support for it: mwiede/jsch@4dfbd0c

@bol-van
Copy link
Author

bol-van commented Sep 19, 2021

Android 7.0
it worked with my config mentioned above and also worked with ed25519/chacha-poly only

@DanielRieken
Copy link

Hello,
I've tested version 116-issue902-ssh.

Default openssh-server settings:
test01

I've also tested on Android 11 (OxygenOS 11) / Debian 11.0.0 with these combination of openssh-server settings:
test02

@mendhak
Copy link
Owner

mendhak commented Sep 20, 2021

Thanks very much for such thorough testing! That's a lot of effort you've put in so I appreciate it.

Looking at the list of failed negotiations, does that look like an acceptable list of enabled/disabled algorithms? I'm thinking of leaving the defaults in place, it seems to have a good balance of old allowed algorithms and some newer ones, thanks to the additional BouncyCastle library.

I've got a pull request going with these changes, and I'm also looking at adding a file picker so that users can find their SFTP private key easily. #907

@DanielRieken
Copy link

DanielRieken commented Sep 21, 2021
edited
Loading

I've never used GPSlogger with SSH, but since I like GPSlogger a lot, I am happy to help. Because I am not a developer, I can not help with programming, but here I was able to do some testing :-)

Yes, for me it looks like a good result, because the failed algorithms are known as insecure / weak / broken.
From security view the results are good (see https://infosec.mozilla.org/guidelines/openssh).
Also all algorithms named by @bol-van are working.

But I bet sooner or later someone will ask for 3des-cbc, hmac-md5-96 or something like that 😂

@mendhak mendhak mentioned this issue Sep 21, 2021
Merged
@mendhak
Copy link
Owner

mendhak commented Sep 29, 2021

Hi all, finally v117 is on F-Droid. This will include the modern SSH algorithms, with Bouncy Castle library to help out.

The app will now ask for a manage storage permission (on Android 11+) when you choose the 'save to folder' setting. In my emulator testing, only on Android 11+, I was also able to save to SD card. But not on any other OS version.

There's also a graphical folder picker for files and folders so you don't have to type it in anymore. The folder picker is for saving the log location, the file picker is for SFTP private key path. The SFTP private key setting will also ask for this permission. It's a bit broad but I think I can look to reduce this need in a future update, as Storage Access Framework is a beast of a topic.

I'm now going around and closing a bunch of issues related to folder permissions. And in this case SFTP.

@mendhak mendhak closed this as completed Sep 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mendhak @bol-van @DanielRieken