Introduction.
IBM MQ Managed File Transfer (MFT) provides the capability to transfer files to a Secure File Transfer Protocol (SFTP) enabled host. This is facilitated through configuration and use of the MFT protocol bridge agent (PBA). The PBA uses the Java Secure Channel (JSch) library to facilitate this transfer.
JSch is a Java implementation of the Secure Shell (SSH) 2 protocol. It should be understood that SSH and SFTP are closely linked.
OpenSSH is the open-source implementation of the SSH and SFTP protocols. It is very common and found on a myriad of machines around the globe, especially Unix derivatives.
So we can picture JSch and OpenSSH are the respective sides of the conversation between the MFT PBA (JSch) and your SFTP file server (OpenSSH).
Now we have set the scene and introduced the technologies and terminology we are referring to, lets understand the purpose of this post - compatibility!
Compatibility.
Since OpenSSH version 8.8 was released on 26th September 2021, support for SHA1 algorithms has been removed. You should hopefully be able to find the release notes here. However, if not, below is an excerpt...
OpenSSH 8.8/8.8p1 (2021-09-26)
This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K [1]
For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol. For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms options.
Versions of the MFT PBA older than 9.4.0.0 incorporate a JSch version which relies heavily upon SHA1, and does not follow or implement any of the changes to the SSH protocol which were made, since it pre-dates OpenSSH 8.8 considerably.
What does this mean?
Ultimately if you are using an MFT PBA version <9.4.0.0 and your SFTP server is using OpenSSH >=8.8 then an incompatibility will arise and the connection will fail to be negotiated and therefore not established. This can manifest as the below error/stack in your MFT PBA logs/trace...
[31/10/24 17:04:31.972.0H] 00000034 @9ed63358 c.i.wmqfte.jsch.Session ----+----+----+--- ! connect, Authentication failed [com.ibm.wmqfte.jsch.JSchException]
[31/10/24 17:04:31.972.0I] 00000034 @caff9075 c.i.w.b.session.sftp.SFTPConnection ----+----+----+-- X openSession
[31/10/24 17:04:31.972.0I] 00000034 Authentication failed [com.ibm.wmqfte.jsch.JSchException] at:
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.jsch.Session.connect(Session.java:578)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.bridge.session.sftp.SFTPConnection.openSession(SFTPConnection.java:428)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.bridge.session.sftp.SFTPConnection.connect(SFTPConnection.java:126)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.bridge.session.sftp.SFTPSession.connect(SFTPSession.java:167)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.bridge.session.sftp.SessionFactory.createSession(SessionFactory.java:98)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.bridge.endpoint.BridgeEndPoint.createSession(BridgeEndPoint.java:92)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.bridge.Bridge.createSession(Bridge.java:355)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.bridge.utils.BridgeSessionContainer.getSession(BridgeSessionContainer.java:130)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.bridge.session.BridgeSessionContainerManager.getSession(BridgeSessionContainerManager.java:140)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.io.bridge.BridgeFileImpl.getSession(BridgeFileImpl.java:794)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.io.bridge.BridgeFileImpl.<init>(BridgeFileImpl.java:155)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.io.bridge.BridgeFileFactoryHelperImpl.newFTEFile(BridgeFileFactoryHelperImpl.java:115)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.io.FTEFileFactory.newFTEFileWithChannel(FTEFileFactory.java:336)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.transfer.frame.impl.TransferFrameReceiverImpl.openAndLockFile(TransferFrameReceiverImpl.java:1280)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.transfer.frame.impl.TransferFrameReceiverImpl.openAndLockFile(TransferFrameReceiverImpl.java:1203)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.transfer.frame.impl.TransferFrameReceiverImpl.processChunk(TransferFrameReceiverImpl.java:526)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.transfer.frame.impl.TransferFrameReceiverImpl.access$000(TransferFrameReceiverImpl.java:95)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.transfer.frame.impl.TransferFrameReceiverImpl$ChunkProcessor.processFileIORequest(TransferFrameReceiverImpl.java:135)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.transfer.frame.impl.TransferFrameIOWorker.doWorkImpl(TransferFrameIOWorker.java:318)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.io.impl.FTEFileIOWorker.doWork(FTEFileIOWorker.java:118)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.io.impl.FTEFileIORequestQueue.run(FTEFileIORequestQueue.java:274)
[31/10/24 17:04:31.972.0I] 00000034 java.lang.Thread.run(Thread.java:825)
[31/10/24 17:04:31.972.0I] 00000034 com.ibm.wmqfte.thread.FTEThread.run(FTEThread.java:70)
In order to resolve this, it is highly recommended that your MFT installation is upgraded to a version >=9.4.0.0. For clarity, this includes any 9.4 LTS or 9.4 CD version or any later release.
This is because in the 9.4 release of MFT the version of JSch that is shipped/implemented was upgraded significantly.
Other potential workarounds exist for re-enabling SHA1 support in OpenSSH, however this cannot be recommended due to the vulnerabilities present in SHA1 hence the original need to drop SHA1 support. Furthermore, since MFT now offers support for later OpenSSH versions, upgrading your MFT PBA should be noted as the sensible approach.
Summary.
To conclude, MFT PBA versions <9.4.0.0 are only compatible with OpenSSH <8.8, and an MFT upgrade will be required to communicate with a server using OpenSSH versions >=8.8.