JSchException: Algorithm negotiation fail diffie-hellman-group14-sha1

Question

I know this has been asked a few times but I have tried many of the accepted solutions already given.

I am creating a simple SSH tunnel using JSch. and I keep getting this error along with this in the logs:

INFO: diffie-hellman-group14-sha1 is not available.

I have already added the Java unlimited policy files to the correct folder and I have added this algorithm to the KexAlgorithms section in the sshd_config file. Below is the full log breakdown.

INFO: Connecting to xx.xx.xxx.xxx port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-OpenSSH_6.8
INFO: Local version string: SSH-2.0-JSCH-0.1.50
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-     cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1
INFO: diffie-hellman-group14-sha1 is not available.
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
INFO: kex: server: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
INFO: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
INFO: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]
INFO: kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
INFO: kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
INFO: kex: server: none,[email protected]
INFO: kex: server: none,[email protected]
INFO: kex: server: 
INFO: kex: server: 
INFO: kex: client: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
INFO: kex: client: ssh-rsa,ssh-dss
INFO: kex: client: aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
INFO: kex: client: hmac-sha2-256
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client: 
INFO: kex: client: 
INFO: Disconnecting from xx.xx.xxx.xxx port 22
com.jcraft.jsch.JSchException: Algorithm negotiation fail

Answer 1

Your client and server do not share a common KEX algorithm:

INFO: kex: server: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

INFO: kex: client: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

As you can see, none of the algorithms supported by either are found in the other's list. You can add support for additional KEX algorithms to your client in one of two ways:

1. Upgrade JSch to the latest release (0.1.52) to automatically enable support for sha256.

2. If you're stuck with 0.1.51, you can programatically enable sha256:

   JSch shell = new JSch();
   Properties config = new Properties();
   config.put("kex", "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256");
   config.put("StrictHostKeyChecking", "no");
   

   Then create your session and set the configuration with:

   Session session = ...
   session.setConfig(config);
   

Answer 2

To make this key exchange algorithm available you have to add a security provider which supports it. The unrestricted policy files you mentioned are also required.

Provider installation for Bouncycastle:

import org.bouncycastle.jce.provider.BouncyCastleProvider;
...
Security.addProvider(new BouncyCastleProvider());

Make sure that the necessary jar files are included on your Java CLASSPATH.