question

BrandlFabian-3133 avatar image
0 Votes"
BrandlFabian-3133 asked AnkitKhandelwal-4787 commented

Connection to Azure SFTP doesnt work using JSCH

Hello everyone,

we are currently working with a cloud product that uses JSCH internally to connect to external sftp sources. Im investigating an connection reset exception that we are getting when trying to connect to azure sftp.

Using wireshark i determined that the problem occurs after jsch initializes the client: key exchange. Establishing the same connection with filezilla we dont have this issue.
comparing the packages from jsch and filezilla i didn't see an obivious issues, jsch has azure supported algorithms in the key exchange request at least it looks like it to me but im not an expert on the ssh protocol. Im gonna post both requests below if somebody could give me any pointers it would be greatly appreciated.

jsch request that leads to azure closing the connection:

169128-jsch.jpg

filezilla request that works:

169188-filezilla.jpg

jsch log output:

 INFO: Connecting to ***** port 22
 INFO: Connection established
 INFO: Remote version string: SSH-2.0-AzureSSH_1.0.0
 INFO: Local version string: SSH-2.0-JSCH-0.1.54
 INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
 INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
 INFO: SSH_MSG_KEXINIT sent
 INFO: Disconnecting from **** port 22
 com.jcraft.jsch.JSchException: Session.connect: java.net.SocketException: Connection reset


azure-storage-accountsazure-blob-storage
jsch.jpg (364.9 KiB)
filezilla.jpg (445.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SumanthMarigowda-MSFT avatar image
1 Vote"
SumanthMarigowda-MSFT answered AnkitKhandelwal-4787 commented

@BrandlFabian-3133 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

I see you have posted the similar thread in SO forum, Please refer to the suggestions mentioned over-there and let me know if the issue still persist. I would like to work closer on this issue

Looking forward for your reply!


Please do not forget to 169643-screenshot-2021-12-10-121802.png and 169548-image.png wherever the information provided helps you, this can be beneficial to other community members.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I tried jameses suggestion modifying the jsch config but got the same result. (i modified my stackoverflow post in the past to reflect that). It would help to get logs from the sftp server side. But i didnt see a posibility to get the logs from azure.

Regards
Fabian

0 Votes 0 ·

@BrandlFabian-3133 Apologies for the delay response! This is a known issue and product team has informed that it will be fixed before GA. Azure SFTP - Approaching GA, please fill up the form here
(Get the latest updates on Azure products and features to meet your cloud investment needs. Subscribe to notifications to stay informed.)


Please do not forget to 170817-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


0 Votes 0 ·
BrandlFabian-3133 avatar image BrandlFabian-3133 SumanthMarigowda-MSFT ·

@Sumarigo-MSFT Hi, thanks for the update! Out of curiosity could you share some technical insight whats causing the issue at the moment?

0 Votes 0 ·

Hii @SumanthMarigowda-MSFT ,
Is this issue has been fixed . If fixed can we have its release notes.

0 Votes 0 ·
JGiltner62-0227 avatar image
2 Votes"
JGiltner62-0227 answered JGiltner62-0227 edited

We are having the same problem. What I am assuming is when JSCH sends the Key Exchange Init it is NOT adding the optional guess as to what encryption, MAC and compression to use. When the AzureSSH does not see the guess, it has some type of problem or does not like that there is no guess and a TCP-RST is sent to terminate the connection.

I'm not sure why JSCH is not sending a guess, as we have done packet captures and it does for other SSH servers. I can only assume that most SSH client may have some lookup table for various SSH servers and sends a guess based on the SSH server it's taking to. JSCH has no knowledge of AzureSSH and instead of choosing some base guess, it chooses not to send a guess.

Not sending a guess is valid and when a guess is not sent, normal negotiation should take place.

We have been working with our vendor that uses JSCH and they don't know how to force JSCH to make a guess.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

drewblob avatar image
1 Vote"
drewblob answered Matthias-0969 commented

The issue is with validation of the client software version string.

INFO: Local version string: SSH-2.0-JSCH-0.1.54

From SSH RFC:

When the connection has been established, both sides MUST send an
   identification string.  This identification string MUST be

      SSH-protoversion-softwareversion SP comments CR LF

   Both the 'protoversion' and 'softwareversion' strings MUST consist of
   printable US-ASCII characters, with the exception of whitespace
   characters and the minus sign (-).  The 'softwareversion' string is
   primarily used to trigger compatibility extensions and to indicate
   the capabilities of an implementation.  The 'comments' string SHOULD
   contain additional information that might be useful in solving user
   problems.  As such, an example of a valid identification string is

      SSH-2.0-billsSSH_3.6.3q3<CR><LF>


We are relaxing the validation to allow the extra "-" after the "SSH-2.0-", and the change will be available soon.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The server shows the same behavior with a compliant software version.
173474-ksnip-20220211-103937.png


1 Vote 1 ·
JGiltner62-0227 avatar image
2 Votes"
JGiltner62-0227 answered DarrylG-6344 commented

Hopefully MS sees this.

Looking at the capture I also noticed that that JSCH 0.1.54 has another issue, it uses just LF (0x0A) to terminate the identifier string, not CRLF (0x0D 0x0A) as the RFC documents you MUST use.

We have been in contact with our vendor and I think they said that JSCH 0.1.72 can connect to Azure.

This is one of the things I find amazing, yet frustrating at the same time. Basically everything on the Internet is based on RFC's. You have all these developers, some of which English is not their first language, from all over the world who read these documents and then write programs based on the MUST, SHOULD, and MAY's. What is amazing is that most of time all these programs actually work talking to each other. The frustrating part is you have something like JSCH which has been working with other programs for years, but doing things incorrectly. It does not come to light until you have a new program (AzureSSH) that come along and is written to the RFC.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the analysis!

According to https://docs.microsoft.com/en-us/answers/questions/713024/connection-to-azure-sftp-doesnt-work-using-jsch.html, JSCH can connect to Azure with the change to insert the 0x0d char.

While we are relaxing the validation to allow the extra "-" after the "SSH-2.0-", we will not be changing the validation of the CRLF. The missing CR may be indicative of earlier SSH versions, which we will not support.

Thanks again,
Drew

0 Votes 0 ·

We have been in contact with our vendor and I think they said that JSCH 0.1.72 can connect to Azure.

The version 0.1.72 is not the official version of the Jcraft JSCH, which is stuck at version 0.1.55 since 2018 (see here: http://www.jcraft.com/jsch/ChangeLog).
It would appear to be a fork (see https://www.matez.de/index.php/2020/06/22/the-future-of-jsch-without-ssh-rsa/) by Matthias Wiedemann (the same Matthias as above?).
I have to mention this because certain products such as SAP Process Orchestration utilise the Jcraft JSCH library, and are therefore unable to get the 0.1.72 version with the necessary corrections to make a connection to the Azure Storage Account SFTP. :-(

Hopefully the above info will help set an expectation for SAP technical people, who may find this.


Best

Darryl

0 Votes 0 ·
SadheeshPari-0596 avatar image
1 Vote"
SadheeshPari-0596 answered AnkitKhandelwal-4787 commented

Any solution found for this issue ? I can see from this thread there is product fix but is that published or yet to get release.
Please let me know if there are any workaround available for this issue.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hii @SadheeshPari-0596
Is this issue fixed ?
Because on my side it is working fine now .

0 Votes 0 ·
JunchengZhou-3307 avatar image
1 Vote"
JunchengZhou-3307 answered BrandlFabian-3133 commented

Actually, SAP is using JSCH as sftp provider, and my customers cannot use it to connect to Azure SFTP. Any progress or update here?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, im assuming you are using SAP CPI? I already proposed this fix to SAP and they modified their JSCH Version, sadly i couldn't get a concrete timeframe when we can expect the fix to be published.

194171-image.png


0 Votes 0 ·
image.png (34.3 KiB)