解决java客户端连接ssh失败问题

问题现象

有的运维工具使用了java的ssh客户端，这些客户端和服务端间有时会出现加密算法协商失败和主机密钥类型协商失败的问题，该问题是由于新客户端/服务端禁用了相关的不安全算法和密钥类型，本文简要记录下该问题的解决方法以备不时之需。

错误常见提示如下：

#加密算法协商失败
Unable to negotiate with 192.168.56.99 port 54234: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]

#主机密钥类型协商失败
Unable to negotiate with 192.168.56.99 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

解决方法

二选一：

较新的客户端兼容旧服务端

以Jsch为例，升级新版本。

<dependency>
    <groupId>com.jcraft</groupId>
    <artifactId>jsch</artifactId>
    <version>0.1.55</version> <!-- 检查最新版本 -->
</dependency>

代码中配置连接属性：

import com.jcraft.jsch.*;

public class SSHConnector {
    public static void main(String[] args) {
        try {
            JSch jsch = new JSch();
            
            // 设置支持的算法
            java.util.Properties config = new java.util.Properties();
            
            // 关键配置：指定算法
            config.put("kex", "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1");
            config.put("server_host_key", "ssh-rsa,ssh-dss");
            config.put("cipher.s2c", "aes128-ctr,aes128-cbc,3des-cbc");
            config.put("cipher.c2s", "aes128-ctr,aes128-cbc,3des-cbc");
            config.put("mac.s2c", "hmac-sha1");
            config.put("mac.c2s", "hmac-sha1");
            
            Session session = jsch.getSession("username", "172.16.29.254", 22);
            session.setConfig(config);
            session.setPassword("password");
            session.setConfig("StrictHostKeyChecking", "no"); // 临时测试用
            
            session.connect(30000); // 30秒超时
            System.out.println("连接成功");
            
            session.disconnect();
        } catch (JSchException e) {
            e.printStackTrace();
        }
    }
}

较新的服务端兼容旧客户端

/etc/ssh/sshd_config追加以下内容，这里添加的算法取决于Their offer后边提示的类型，一般只添加部分即可，推荐使用+追加额外算法。

#解决no matching key exchange method found报错
KexAlgorithms +diffie-hellman-group14-sha1
#解决no matching host key type found报错
HostKeyAlgorithms +ssh-rsa

附查看服务端ssh支持算法

hellxz@hz:~$ sudo sshd -T | grep -E "^hostkeyalg|^kexalg"
kexalgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
hostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa