Search code examples
javasshjsch

"No appropriate prime between 1024 and 1024 is available" when connecting to VShell with JSch

I have written a client using JSch (via username password based logging).

The following are the relevant lines of code:-

sshSession = jsch.getSession(userName, host, 22);
sshSession.setConfig("PreferredAuthentications", "password");
sshSession.setPassword(loginInfo);
java.util.Properties config = new java.util.Properties();
config.put("StrictHostKeyChecking", "no");
sshSession.setConfig(config);
sshSession.connect();

Now while connecting with VShell Server I am getting the following error:-

com.jcraft.jsch.JSchException: SSH_MSG_DISCONNECT: 11 No appropriate prime between 1024 and 1024 is available.  en
at com.jcraft.jsch.Session.read(Session.java:987)
at com.jcraft.jsch.Session.connect(Session.java:323)
at com.jcraft.jsch.Session.connect(Session.java:183)
at com.informatica.isp.autoprovision.APSSHClient.<init>(APSSHClient.java:65)
at com.informatica.isp.autoprovision.APClient.createAPComputeNode(APClient.java:84)
at com.informatica.isp.autoprovision.test.AWSMockClientTest.test(AWSMockClientTest.java:34)
at com.informatica.isp.autoprovision.test.AWSMockClientTest.main(AWSMockClientTest.java:42)

When I try to connect with a CLI client like PuTTY or xshell with the VShell Server it works. Is there a setting I am missing somehow in JSch? I could not find anything like this in either VShell or JSch forums hence posted here.

Solution

  • This is possibly a limitation of your version of the JSCH library which may not allow it to successfully perform key exchange with anything other than a 1024-bit prime. Consider contacting JCraft to see if they have a version available that supports using larger primes for diffie-hellman group exchange. If they don't, contact your VShell administrator and ask if they would be willing to modify the VShell 4.1.1+ primes.txt file to include 1024-bit prime numbers.

    As a part of logjam research there is a potential vulnerability in diffie-hellman group exchange when using 1024-bit and smaller primes.

    From the VShell 4.1.1 history file: "In light of a potential vulnerability with SSH key exchange, similar to the TLS Logjam vulnerability, the diffie-hellman group1 key-exchange algorithm is no longer enabled by default and all 1024 bit primes have been removed from VShell's primes.txt file."