[Fixed] NetBeans, PhpStorm — Algorithm negotiation fail

tl;dr: If your Java based IDE says “Algorithm negotiation failed, don’t fix your sshd, fix the ssh client.

Lately I had the same issue with three Java based IDEs: If you use SFTP and if you have use a recent version of OpenSSH (6.7+) on your server, you might see something like “Algorithm negotiation failed” (PhpStorm) or “Upload Files On Save Failed for” (NetBeans), although you can connect to the same server using your command line SSH client.

NetBean’s error message is not as useful as the message presented by PhpStorm or — the third IDE — Aptana Studio*, but the output window provides more details:

CheckKexes: diffie-hellman-group14-sha1
diffie-hellman-group14-sha1 is not available.
...
kex: server: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
...
kex: client: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1

Server and client don’t share a common key exchange algorithm. Until I saw this I really believed that NetBeans&Co. are wrapping OpenSSH … Actually all* of them are using “JSch” – a pure Java implementation of SSH2. And this client library supports not that many exchange algorithm out of the box!

To fix this issue, you can now choose between one of the following solutions:

  • Re-add the removed algorithms. A solution I dislike. You can ask your preferred search engine how to “fix” your sshd configuration.
  • Add the support for another algorithm to JSCH. My preferred solution. In the following I will explain this solution:

  • Both, NetBeans and PhpStorm, are including JSch as an external library. You can exchange the file using a prepared file or compile it yourself (see below). In the case of NetBeans you have to look for a file called modules/com-jcraft-jsch.jar and for PhpStorm you have to replace lib/jsch-0.1.50.jar. The latter my have a different version in your case.

    Hopefully this fixes the issue! If not or if you’d like to compile and pack your own version or if you want to read some more details, read on.

    As you can see here and here this issue is known and there is also a patch to solve this issue. So to get a fixed version of JSch you need to download the library, apply the patch and build the jar file. Afterwards you can insert the library in the module folder of your IDE.

    Finally, since I’m a happy gentoo user, I decided to create a ebuild for this. This way I can use emerge to update JSch and reinstall NetBeans.

    ——

    *Applying this fix on Aptana Studio didn’t work. I’m not 100% sure why, but it seems that it has two SSH client libraries (JCsh and j2ssh?) and I was not able to find the correct jar to fix this issue.

1 Comment

  1. Sebastian Mares

    At least for PhpStorm, another option (recommended by the developers) is downloading bcprov-jdk15on-151.jar (or the latest version) from http://www.bouncycastle.org/latest_releases.html to \jre\jre\lib\ext. Then edit \jre\jre\lib\security\java.security and add security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider to the top of the list and change the numbers in the subsequent lines.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *