spring-integration-sftp v6.1.2 throws DH key size must be multiple of 64, and can only range from 512 to 8192. key size 4095 is not supported

Question

I upgraded spring-integration-sftp from 5.2.3 RELEASE to v6.1.2. Then, I got the exception "Caused by: java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 4095 is not supported".

My private key worked in the previous version and its length is 1678, not multiple of 64. Could that be the problem? or What can be the problem area in this case?

Private key: /known_hosts/sfeg-private-key (1678 bytes)

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAosLaHA9mGBZrISlSp4u5xYsHAoa/jnqt1hUCmVBccfywTZiI
yvkE7y+QHhU1oYpCyAOXSojIIpTnOYhUsJHuB9hyLsnmNWWr2pnydyayRuj9gvsO
<......  ommitt 21 lines .............>
3rLna1UdXUVuO/KctuYdom5Ii2BAdIba7FRMRH9OuEkHbb3CNXADKkAbs7eTCNcY
i+4GBBKBJjP8EXdtIwc3Wf0OlPf4O2i0hQojYf8WUsHwWrZJ5LqMiw==
-----END RSA PRIVATE KEY-----

Known Hosts: /known_hosts/sfeg-public-key (245 Bytes)

sfeg.test.ag.test.group.ca,172.64.41.187 ssh-rsa AAAAB3NzaC<....ommitted....>th0Oqdc=

Logging:

    2024-01-27 19:13:26.320 INFO 1 --- [ main] [,] c.b.g.o.j.a.p.sftp.SftpInputProperties : getSshPrivateKey from System.getenv(SSH_PRIVATE_KEY): /known_hosts/sfeg-private-key
    2024-01-27 19:13:26.320 INFO 1 --- [ main] [,] c.b.g.o.j.a.p.sftp.SftpInputProperties : getSshPrivateKey from System.getenv(SFTP_KNOWN_HOST_FILE): /known_hosts/sfeg-public-key
    2024-01-27 18:54:16.490  INFO 1 --- [           main] [,] c.b.g.o.j.a.p.sftp.AutoConfiguration     : SFTP Configuration: privateKey - length 1678
    2024-01-27 18:54:16.491  INFO 1 --- [           main] [,] c.b.g.o.j.a.p.sftp.AutoConfiguration     : SFTP Configuration: privateKey - content 
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAosLaHA9mGBZrISlSp4u5xYsHAoa/jnqt1hUCmVBccfywTZiI
    yvkE7y+QHhU1oYpCyAOXSojIIpTnOYhUsJHuB9hyLsnmNWWr2pnydyayRuj9gvsO
    <......  ommitt 21 lines .............>
        3rLna1UdXUVuO/KctuYdom5Ii2BAdIba7FRMRH9OuEkHbb3CNXADKkAbs7eTCNcY
        i+4GBBKBJjP8EXdtIwc3Wf0OlPf4O2i0hQojYf8WUsHwWrZJ5LqMiw==
        -----END RSA PRIVATE KEY-----
        
    2024-01-27 19:13:26.388 INFO 1 --- [ main] [,] c.b.g.o.j.a.p.sftp.AutoConfiguration : SFTP Known Hosts: length = 245
    2024-01-27 19:13:26.389 INFO 1 --- [ main] [,] c.b.g.o.j.a.p.sftp.AutoConfiguration : SFTP Known Hosts: content = sfeg.test.ag.test.group.ca,172.64.41.187 ssh-rsa AAAAB3NzaC<....ommitted....>th0Oqdc=
    
    
        <....... ommit lines.....>
2024-01-30 17:15:57.997  INFO 1 --- [           main] [,] c.b.g.jrcc.receiver.ReceiverApplication  : Started ReceiverApplication in 11.388 seconds (process running for 13.733)
2024-01-30 17:15:58.001 DEBUG 1 --- [           main] [,] o.s.b.a.ApplicationAvailabilityBean      : Application availability state LivenessState changed to CORRECT
2024-01-30 17:15:58.003 DEBUG 1 --- [           main] [,] o.s.b.a.ApplicationAvailabilityBean      : Application availability state ReadinessState changed to ACCEPTING_TRAFFIC
2024-01-30 17:16:00.098  INFO 1 --- [   scheduling-1] [,] o.a.s.c.i.DefaultIoServiceFactoryFactory : No detected/configured IoServiceFactoryFactory; using Nio2ServiceFactoryFactory
2024-01-30 17:16:00.177 DEBUG 1 --- [   scheduling-1] [,] o.a.sshd.common.io.nio2.Nio2Connector    : Connecting to sfeg.test.ag.ca/142.34.91.187:22
2024-01-30 17:16:00.181 DEBUG 1 --- [   scheduling-1] [,] o.a.sshd.common.io.nio2.Nio2Connector    : setOption(SO_REUSEADDR)[true] from property=Property[socket-reuseaddr](Boolean]
2024-01-30 17:16:00.197 DEBUG 1 --- []-nio2-thread-1] [,] o.a.sshd.common.io.nio2.Nio2Session      : Creating IoSession on /10.97.38.175:60044 from sfeg.test.ag.ca/142.34.91.187:22 via null
2024-01-30 17:16:00.211 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : Client session created: Nio2Session[local=/10.97.38.175:60044, remote=sfeg.test.ag.ca/142.34.91.187:22]
2024-01-30 17:16:00.213 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.c.session.ClientUserAuthService    : ClientUserAuthService(ClientSessionImpl[[email protected]/142.34.91.187:22]) client methods: [publickey, keyboard-interactive, password]
2024-01-30 17:16:00.219 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.c.s.h.SessionTimeoutListener       : sessionCreated(ClientSessionImpl[[email protected]/142.34.91.187:22]) tracking
2024-01-30 17:16:00.220 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : initializeProxyConnector(ClientSessionImpl[[email protected]/142.34.91.187:22]) no proxy to initialize
2024-01-30 17:16:00.270 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : sendIdentification(ClientSessionImpl[[email protected]/142.34.91.187:22]): SSH-2.0-APACHE-SSHD-2.9.2
2024-01-30 17:16:00.271 DEBUG 1 --- []-nio2-thread-1] [,] o.a.sshd.common.io.nio2.Nio2Session      : writeBuffer(Nio2Session[local=/10.97.38.175:60044, remote=sfeg.test.ag.ca/142.34.91.187:22]) writing 27 bytes
2024-01-30 17:16:00.276 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : sendKexInit(ClientSessionImpl[[email protected]/142.34.91.187:22]) Send SSH_MSG_KEXINIT
2024-01-30 17:16:00.283 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : encode(ClientSessionImpl[[email protected]/142.34.91.187:22]) packet #0 sending command=20[SSH_MSG_KEXINIT] len=1306
2024-01-30 17:16:00.283 DEBUG 1 --- []-nio2-thread-1] [,] o.a.sshd.common.io.nio2.Nio2Session      : writeBuffer(Nio2Session[local=/10.97.38.175:60044, remote=sfeg.test.ag.ca/142.34.91.187:22]) writing 1320 bytes
2024-01-30 17:16:00.287 DEBUG 1 --- []-nio2-thread-1] [,] org.apache.sshd.client.SshClient         : setupDefaultSessionIdentities(ClientSessionImpl[[email protected]/142.34.91.187:22]) key identity provider override in session listener
2024-01-30 17:16:00.288 DEBUG 1 --- [   scheduling-1] [,] o.a.s.c.future.DefaultConnectFuture      : Connected to sfeg.test.ag.ca/142.34.91.187:22 after 106235070 nanos
2024-01-30 17:16:00.289 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : doReadIdentification(ClientSessionImpl[[email protected]/142.34.91.187:22]) line='SSH-2.0-Sun_SSH_1.1.9'
2024-01-30 17:16:00.289 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : readIdentification(ClientSessionImpl[[email protected]/142.34.91.187:22]) Server version string: SSH-2.0-Sun_SSH_1.1.9
2024-01-30 17:16:00.304 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : doHandleMessage(ClientSessionImpl[[email protected]/142.34.91.187:22]) process #0 SSH_MSG_KEXINIT
2024-01-30 17:16:00.304 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : handleKexInit(ClientSessionImpl[[email protected]/142.34.91.187:22]) SSH_MSG_KEXINIT
2024-01-30 17:16:00.313 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: kex algorithms = diffie-hellman-group-exchange-sha256
2024-01-30 17:16:00.313 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: server host key algorithms = ssh-rsa
2024-01-30 17:16:00.313 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: encryption algorithms (client to server) = aes128-ctr
2024-01-30 17:16:00.314 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: encryption algorithms (server to client) = aes128-ctr
2024-01-30 17:16:00.314 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: mac algorithms (client to server) = hmac-sha2-256
2024-01-30 17:16:00.314 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: mac algorithms (server to client) = hmac-sha2-256
2024-01-30 17:16:00.314 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: compression algorithms (client to server) = none
2024-01-30 17:16:00.314 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: compression algorithms (server to client) = none
2024-01-30 17:16:00.315 DEBUG 1 --- []-nio2-thread-2] [,] org.apache.sshd.client.kex.DHGEXClient   : init(DHGEXClient[diffie-hellman-group-exchange-sha256])[ClientSessionImpl[[email protected]/142.34.91.187:22]] Send SSH_MSG_KEX_DH_GEX_REQUEST - min=2048, prf=4096, max=8192
2024-01-30 17:16:00.315 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : encode(ClientSessionImpl[[email protected]/142.34.91.187:22]) packet #1 sending command=34[SSH_MSG_KEX_DH_GEX_REQUEST] len=13
2024-01-30 17:16:00.316 DEBUG 1 --- []-nio2-thread-2] [,] o.a.sshd.common.io.nio2.Nio2Session      : writeBuffer(Nio2Session[local=/10.97.38.175:60044, remote=sfeg.test.ag.ca/142.34.91.187:22]) writing 32 bytes
2024-01-30 17:16:00.325 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : doHandleMessage(ClientSessionImpl[[email protected]/142.34.91.187:22]) process #1 31
2024-01-30 17:16:00.368 DEBUG 1 --- []-nio2-thread-1] [,] org.apache.sshd.client.kex.DHGEXClient   : next(DHGEXClient[diffie-hellman-group-exchange-sha256])[ClientSessionImpl[[email protected]/142.34.91.187:22]] process command=SSH_MSG_KEX_DH_GEX_GROUP (expected=SSH_MSG_KEX_DH_GEX_GROUP)
2024-01-30 17:16:00.370 DEBUG 1 --- []-nio2-thread-1] [,] o.a.sshd.common.io.nio2.Nio2Session      : handleReadCycleFailure(Nio2Session[local=/10.97.38.175:60044, remote=sfeg.test.ag.ca/142.34.91.187:22]) InvalidAlgorithmParameterException after 53648407 nanos at read cycle=3: DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 4095 is not supported
2024-01-30 17:16:00.371 DEBUG 1 --- []-nio2-thread-1] [,] o.a.sshd.common.io.nio2.Nio2Session      : exceptionCaught(Nio2Session[local=/10.97.38.175:60044, remote=sfeg.test.ag.ca/142.34.91.187:22]) caught InvalidAlgorithmParameterException[DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 4095 is not supported] - calling handler
2024-01-30 17:16:00.371 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : signalAuthFailure(ClientSessionImpl[[email protected]/142.34.91.187:22]) type=InvalidAlgorithmParameterException, signalled=true, first=false: DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 4095 is not supported
2024-01-30 17:16:00.372  WARN 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : exceptionCaught(ClientSessionImpl[[email protected]/142.34.91.187:22])[state=Opened] InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 4095 is not supported

java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 4095 is not supported
    at java.base/com.sun.crypto.provider.DHKeyPairGenerator.initialize(Unknown Source)
    at java.base/java.security.KeyPairGenerator$Delegate.initialize(Unknown Source)
    at java.base/java.security.KeyPairGenerator.initialize(Unknown Source)
    at org.apache.sshd.common.kex.DHG.calculateE(DHG.java:64)
    at org.apache.sshd.common.kex.AbstractDH.getE(AbstractDH.java:60)
    at org.apache.sshd.client.kex.DHGEXClient.next(DHGEXClient.java:177)
    at org.apache.sshd.common.session.helpers.AbstractSession.handleKexMessage(AbstractSession.java:721)
    at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:590)
    at org.apache.sshd.common.session.helpers.AbstractSession.lambda$handleMessage$0(AbstractSession.java:522)
    at org.apache.sshd.common.util.threads.ThreadUtils.runAsInternal(ThreadUtils.java:68)
    at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:521)
    at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1639)
    at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:482)
    at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
    at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:407)
    at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:380)
    at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:375)
    at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
    at java.base/java.security.AccessController.doPrivileged(Unknown Source)
    at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
    at java.base/sun.nio.ch.Invoker.invokeUnchecked(Unknown Source)
    at java.base/sun.nio.ch.Invoker$2.run(Unknown Source)
    at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.base/java.lang.Thread.run(Unknown Source) 

   
    

Coding:

public class AutoConfiguration {

    private Logger logger = LoggerFactory.getLogger(AutoConfiguration.class);
    @Autowired
    ResourceLoader resourceLoader;

    private SftpInputProperties properties;

    public AutoConfiguration(SftpInputProperties sftpInputProperties) {
        this.properties = sftpInputProperties;
        logger.info("SFTP Configuration: Host => [{}]", this.properties.getHost());
        logger.info("SFTP Configuration: Port => [{}]", this.properties.getPort());
        logger.info("SFTP Configuration: Username => [{}]", this.properties.getUsername());
        logger.info("SFTP Configuration: Remote Directory => [{}]", this.properties.getRemoteDirectory());
        logger.info("SFTP Configuration: Filter Pattern => [{}]", this.properties.getFilterPattern());
        logger.info("SFTP Configuration: Cron => [{}]", this.properties.getCron());
        logger.info("SFTP Configuration: Max Message Per Poll => [{}]", this.properties.getMaxMessagePerPoll());
        logger.info("SFTP Configuration: Known Host File => [{}]", this.properties.getKnownHostFile());
    }

    @Bean
    public SessionFactory<SftpClient.DirEntry> sftpSessionFactory() throws InvalidConfigException, IOException {
        DefaultSftpSessionFactory factory = new DefaultSftpSessionFactory(true);
        factory.setHost(properties.getHost());
        factory.setPort(properties.getPort());
        factory.setUser(properties.getUsername());
        if (properties.getSshPrivateKey() != null) {
            Resource resource = resourceLoader.getResource("file:"+properties.getSshPrivateKey());;
            factory.setPrivateKey(resource);

            factory.setPrivateKeyPassphrase(properties.getSshPrivatePassphrase());
        } else {
            factory.setPassword(properties.getPassword());
        }
        boolean isAllowUnknownKeys = properties.isAllowUnknownKeys();
        factory.setAllowUnknownKeys(isAllowUnknownKeys);
        if (!isAllowUnknownKeys) {
            String knownHostFileStr = properties.getKnownHostFile();
            File knownHostFile = new File(knownHostFileStr);
            Resource resource = resourceLoader.getResource("file:"+properties.getKnownHostFile());
            factory.setPrivateKey(resource);
        }
        CachingSessionFactory<SftpClient.DirEntry> cachingSessionFactory = new CachingSessionFactory<>(factory);
        this.properties.getServerAliveInterval().ifPresent(timeout -> cachingSessionFactory.setSessionWaitTimeout(timeout));
        return cachingSessionFactory;
    }

    @Bean
    public SftpRemoteFileTemplate template() {
        try {
            return new SftpRemoteFileTemplate(sftpSessionFactory());
        } catch (InvalidConfigException ex) {
            logger.error(ex.getMessage());
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        return null;
    }

    @Bean
    @InboundChannelAdapter(channel = "sftpChannel", poller = @Poller(cron = "${access.input.sftp.cron}", maxMessagesPerPoll = "${access.input.sftp.max-message-per-poll}"))
    public MessageSource<InputStream> sftpMessageSource(ConcurrentMetadataStore concurrentMetadataStore) {
        ChainFileListFilter<SftpClient.DirEntry> filterChain = new ChainFileListFilter<>();
        if (properties.getFilterPattern() != null && !"".equals(properties.getFilterPattern()))
            filterChain.addFilter(new SftpRegexPatternFileListFilter(properties.getFilterPattern()));
        filterChain.addFilter(new SftpPersistentAcceptOnceFileListFilter(concurrentMetadataStore, "sftpSource"));
        SftpStreamingMessageSource messageSource = new SftpStreamingMessageSource(template());
        messageSource.setRemoteDirectory(properties.getRemoteDirectory());
        messageSource.setFilter(filterChain);

        return messageSource;
    }

    @Bean
    @ServiceActivator(inputChannel = "sftpChannel")
    public MessageHandler handler(SftpDocumentInput sftpDocumentInput) {
        return sftpDocumentInput;
    }

}

Capture of the connection from the old working version including Diffie-Hellman (DH) group information

2024-01-28 14:02:15.024  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
2024-01-28 14:02:15.045  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2024-01-28 14:02:15.045  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : SSH_MSG_KEXINIT sent
2024-01-28 14:02:15.054  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : SSH_MSG_KEXINIT received
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: ssh-rsa,ssh-dss
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-96,hmac-sha2-512-96,hmac-sha1-96,hmac-md5,hmac-md5-96
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha2-256-96,hmac-sha2-512-96,hmac-sha1-96,hmac-md5,hmac-md5-96
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: none,[email protected],zlib
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: none,[email protected],zlib
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: bg-BG,en-US,et-EE,hr-HR,kk-KZ,lt-LT,lv-LV,mk-MK,ro-RO,ru,ru-RU,sh-BA,sl-SI,sq-AL,sr-CS,tr-TR,et,lt,lv,nr,sr-SP,sr-YU,tr,i-default,uk-UA
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server: bg-BG,en-US,et-EE,hr-HR,kk-KZ,lt-LT,lv-LV,mk-MK,ro-RO,ru,ru-RU,sh-BA,sl-SI,sq-AL,sr-CS,tr-TR,et,lt,lv,nr,sr-SP,sr-YU,tr,i-default,uk-UA
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: none
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: none
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: 
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client: 
2024-01-28 14:02:15.055  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: server->client aes128-ctr hmac-md5 none
2024-01-28 14:02:15.056  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : kex: client->server aes128-ctr hmac-md5 none
2024-01-28 14:02:15.059  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : SSH_MSG_KEXDH_INIT sent
2024-01-28 14:02:15.059  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : expecting SSH_MSG_KEXDH_REPLY
2024-01-28 14:02:15.071  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : ssh_rsa_verify: signature true
2024-01-28 14:02:15.071  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : Host 'sfeg.test.ag.ca' is known and matches the RSA host key
2024-01-28 14:02:15.072  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : SSH_MSG_NEWKEYS sent
2024-01-28 14:02:15.072  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : SSH_MSG_NEWKEYS received
2024-01-28 14:02:15.072  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : SSH_MSG_SERVICE_REQUEST sent
2024-01-28 14:02:15.080  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : SSH_MSG_SERVICE_ACCEPT received
2024-01-28 14:02:15.094  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : Authentications that can continue: publickey,keyboard-interactive,password
2024-01-28 14:02:15.094  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : Next authentication method: publickey
2024-01-28 14:02:15.122  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : Authentication succeeded (publickey).
2024-01-28 14:02:15.226  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : Disconnecting from sfeg.test.ag.ca port 22
2024-01-28 14:02:15.226  INFO [-,,,] 1 --- [v.bc.ca session] [,] com.jcraft.jsch                          : Caught an exception, leaving main loop due to Socket closed
2024-01-28 14:02:20.001  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : Connecting to sfeg.test.ag.ca port 22
2024-01-28 14:02:20.028  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : Connection established
2024-01-28 14:02:20.028  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : Remote version string: SSH-2.0-Sun_SSH_1.1.9
2024-01-28 14:02:20.028  INFO [-,,,] 1 --- [ask-scheduler-3] [,] com.jcraft.jsch                          : Local version string: SSH-2.0-JSCH-0.1.54

Answer 1

I read Artem Bilan post, Spring Integration SFTP connection fails - Unable to negotiate key exchange for kex algorithms and had the changes to inject that client into DefaultSftpSessionFactory. The KEX changedto diffie-hellman-group1-sha1, so the exception "DH key size must be multiple of 64, and can only range from 512 to 8192. key size 4095 is not supported" does not show now. I have a new problem, ssh throws "SshException: Server key did not validate". I believe this is known_hosts issue because if serverKeyVerified is set as AcceptAllServerKeyVerifier.INSTANCE (not using known_hosts), the app does not use known_hosts and works without error. The known_hosts file (/known_hosts/sfeg-public-key) is the same as the old working version, so something is wrong in coding?

New Coding (some were from spring-intergration-sftp-6.1.2 org.springframework.integration.sftp.session.doInitInnerClient() ):

@Bean

    public SessionFactory<SftpClient.DirEntry> sftpSessionFactory() throws InvalidConfigException, IOException {
    
    
        SshClient sshClient = SshClient.setUpDefaultClient();
        sshClient.setKeyExchangeFactories(NamedFactory.setUpTransformedFactories(
                false,
                BuiltinDHFactories.VALUES,
                ClientBuilder.DH2KEX
        ));
    
        boolean isAllowUnknownKeys = properties.isAllowUnknownKeys();
    
        sshClient.setSignatureFactories(new ArrayList<>(BuiltinSignatures.VALUES));
    
        ServerKeyVerifier serverKeyVerifier =
                isAllowUnknownKeys ? AcceptAllServerKeyVerifier.INSTANCE : RejectAllServerKeyVerifier.INSTANCE;
    
        if (!isAllowUnknownKeys) {
            String knownHostFileStr = properties.getKnownHostFile();
            if (StringUtils.isBlank(knownHostFileStr))
                throw new KnownHostFileNotDefinedException("Must define known_hosts file when allow-unknown-keys is false. ");
    
            File knownHostFile = new File(knownHostFileStr);
            if (!knownHostFile.exists())
                throw new KnownHostFileNotFoundException("Cannot find known_hosts file when allow-unknown-keys is false.");
    
            logger.info("SFTP Known Hosts");
            Resource resource = resourceLoader.getResource("file:"+properties.getKnownHostFile());
            logger.info("SFTP Known Hosts: length = {}", resource.contentLength());
            logger.info("SFTP Known Hosts: content = {}", resource.getContentAsString(Charset.defaultCharset()));
    
            serverKeyVerifier = new ResourceKnownHostsServerKeyVerifier(resource);
        }
    
        sshClient.setServerKeyVerifier(serverKeyVerifier);
        sshClient.setPasswordIdentityProvider(PasswordIdentityProvider.wrapPasswords(properties.getPassword()));
    
        if (properties.getSshPrivateKey() != null) {
            if(!(new File(properties.getSshPrivateKey()).exists()))
                throw new KnownHostFileNotDefinedException("Cannot find known_hosts file private key file. ");
    
            logger.info("SFTP Configuration: setPrivateKey");
            Resource resource = resourceLoader.getResource("file:"+properties.getSshPrivateKey());;
            logger.info("SFTP Configuration: privateKey - length {}", resource.contentLength());
            logger.info("SFTP Configuration: privateKey - content {}", resource.getContentAsString(Charset.defaultCharset()));
    
            IoResource<Resource> privateKeyResource =
                    new AbstractIoResource<>(Resource.class, resource) {
    
                        @Override
                        public InputStream openInputStream() throws IOException {
                            return getResourceValue().getInputStream();
                        }
    
                    };
            try {
                Collection<KeyPair> keys =
                        SecurityUtils.getKeyPairResourceParser()
                                .loadKeyPairs(null, privateKeyResource,
                                        FilePasswordProvider.of(properties.getSshPrivatePassphrase()));
                sshClient.setKeyIdentityProvider(KeyIdentityProvider.wrapKeyPairs(keys));
            }
            catch (GeneralSecurityException ex) {
                throw new IOException("Cannot load private key: " + resource.getFilename(), ex);
            }
        }
    
        DefaultSftpSessionFactory factory = new DefaultSftpSessionFactory(sshClient, true);
    
        factory.setHost(properties.getHost());
        factory.setPort(properties.getPort());
        factory.setUser(properties.getUsername());
    
        CachingSessionFactory<SftpClient.DirEntry> cachingSessionFactory = new CachingSessionFactory<>(factory);
        this.properties.getServerAliveInterval().ifPresent(timeout -> cachingSessionFactory.setSessionWaitTimeout(timeout));
        return cachingSessionFactory;
    }

Logging:

2024-01-30 22:24:00.104 DEBUG 1 --- [   scheduling-1] [,] o.a.s.c.future.DefaultConnectFuture      : Connected to sfeg.test.ag..ca/142.34.91.187:22 after 59693110 nanos
2024-01-30 22:24:00.105 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : doReadIdentification(ClientSessionImpl[[email protected]/142.34.91.187:22]) line='SSH-2.0-Sun_SSH_1.1.9'
2024-01-30 22:24:00.105 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : readIdentification(ClientSessionImpl[[email protected]/142.34.91.187:22]) Server version string: SSH-2.0-Sun_SSH_1.1.9
2024-01-30 22:24:00.121 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : doHandleMessage(ClientSessionImpl[[email protected]/142.34.91.187:22]) process #0 SSH_MSG_KEXINIT
2024-01-30 22:24:00.121 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : handleKexInit(ClientSessionImpl[[email protected]/142.34.91.187:22]) SSH_MSG_KEXINIT
2024-01-30 22:24:00.173 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: kex algorithms = diffie-hellman-group1-sha1
2024-01-30 22:24:00.173 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: server host key algorithms = ssh-dss
2024-01-30 22:24:00.174 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: encryption algorithms (client to server) = aes128-ctr
2024-01-30 22:24:00.174 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: encryption algorithms (server to client) = aes128-ctr
2024-01-30 22:24:00.174 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: mac algorithms (client to server) = hmac-sha2-256
2024-01-30 22:24:00.174 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: mac algorithms (server to client) = hmac-sha2-256
2024-01-30 22:24:00.174 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: compression algorithms (client to server) = none
2024-01-30 22:24:00.174 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : setNegotiationResult(ClientSessionImpl[[email protected]/142.34.91.187:22]) Kex: compression algorithms (server to client) = none
2024-01-30 22:24:00.196 DEBUG 1 --- []-nio2-thread-2] [,] org.apache.sshd.client.kex.DHGClient     : init(DHGClient[diffie-hellman-group1-sha1])[ClientSessionImpl[[email protected]/142.34.91.187:22]] Send SSH_MSG_KEXDH_INIT
2024-01-30 22:24:00.197 DEBUG 1 --- []-nio2-thread-2] [,] o.a.s.client.session.ClientSessionImpl   : encode(ClientSessionImpl[[email protected]/142.34.91.187:22]) packet #1 sending command=30[30] len=133
2024-01-30 22:24:00.197 DEBUG 1 --- []-nio2-thread-2] [,] o.a.sshd.common.io.nio2.Nio2Session      : writeBuffer(Nio2Session[local=/10.97.38.254:44294, remote=sfeg.test.ag..ca/142.34.91.187:22]) writing 152 bytes
2024-01-30 22:24:00.206 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : doHandleMessage(ClientSessionImpl[[email protected]/142.34.91.187:22]) process #1 31
2024-01-30 22:24:00.207 DEBUG 1 --- []-nio2-thread-1] [,] org.apache.sshd.client.kex.DHGClient     : next(DHGClient[diffie-hellman-group1-sha1])[ClientSessionImpl[[email protected]/142.34.91.187:22]] process command=SSH_MSG_KEXDH_REPLY
2024-01-30 22:24:00.282 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : setServerKey(ClientSessionImpl[[email protected]/142.34.91.187:22]) keyType=ssh-dss, digest=SHA256:20q6x+yl2wYUlt7cFEqziDKLra8z9v12jTxFscOE7Uc
2024-01-30 22:24:00.283 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : handleKexMessage(ClientSessionImpl[[email protected]/142.34.91.187:22])[diffie-hellman-group1-sha1] KEX processing complete after cmd=31
2024-01-30 22:24:00.289 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : checkKeys(ClientSessionImpl[[email protected]/142.34.91.187:22]) key=ssh-dss-SHA256:20q6x+yl2wYUlt7cFEqziDKLra8z9v12jTxFscOE7Uc, verified=false
2024-01-30 22:24:00.290 DEBUG 1 --- []-nio2-thread-1] [,] o.a.sshd.common.io.nio2.Nio2Session      : handleReadCycleFailure(Nio2Session[local=/10.97.38.254:44294, remote=sfeg.test.ag..ca/142.34.91.187:22]) SshException after 91798977 nanos at read cycle=3: Server key did not validate
2024-01-30 22:24:00.290 DEBUG 1 --- []-nio2-thread-1] [,] o.a.sshd.common.io.nio2.Nio2Session      : exceptionCaught(Nio2Session[local=/10.97.38.254:44294, remote=sfeg.test.ag..ca/142.34.91.187:22]) caught SshException[Server key did not validate] - calling handler
2024-01-30 22:24:00.290 DEBUG 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : signalAuthFailure(ClientSessionImpl[[email protected]/142.34.91.187:22]) type=SshException, signalled=true, first=false: Server key did not validate
2024-01-30 22:24:00.291  WARN 1 --- []-nio2-thread-1] [,] o.a.s.client.session.ClientSessionImpl   : exceptionCaught(ClientSessionImpl[[email protected]/142.34.91.187:22])[state=Opened] SshException: Server key did not validate

org.apache.sshd.common.SshException: Server key did not validate
    at org.apache.sshd.client.session.AbstractClientSession.checkKeys(AbstractClientSession.java:629)
    at org.apache.sshd.common.session.helpers.AbstractSession.handleKexMessage(AbstractSession.java:726)
    at org.apache.sshd.common.session.helpers.AbstractSession.doHandleMessage(AbstractSession.java:590)
    at org.apache.sshd.common.session.helpers.AbstractSession.lambda$handleMessage$0(AbstractSession.java:522)
    at org.apache.sshd.common.util.threads.ThreadUtils.runAsInternal(ThreadUtils.java:68)
    at org.apache.sshd.common.session.helpers.AbstractSession.handleMessage(AbstractSession.java:521)
    at org.apache.sshd.common.session.helpers.AbstractSession.decode(AbstractSession.java:1639)
    at org.apache.sshd.common.session.helpers.AbstractSession.messageReceived(AbstractSession.java:482)
    at org.apache.sshd.common.session.helpers.AbstractSessionIoHandler.messageReceived(AbstractSessionIoHandler.java:64)
    at org.apache.sshd.common.io.nio2.Nio2Session.handleReadCycleCompletion(Nio2Session.java:407)
    at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:380)
    at org.apache.sshd.common.io.nio2.Nio2Session$1.onCompleted(Nio2Session.java:375)
    at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.lambda$completed$0(Nio2CompletionHandler.java:38)
    at java.base/java.security.AccessController.doPrivileged(Unknown Source)
    at org.apache.sshd.common.io.nio2.Nio2CompletionHandler.completed(Nio2CompletionHandler.java:37)
    at java.base/sun.nio.ch.Invoker.invokeUnchecked(Unknown Source)
    at java.base/sun.nio.ch.Invoker$2.run(Unknown Source)
    at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.base/java.lang.Thread.run(Unknown Source)