Description
In what version(s) of Spring Integration are you seeing this issue?
For example:
5.5.0 and all previous version
Describe the bug
The DefaultSftpSessionFactory does not support host keys of type ssh-ed25519.
If it tries to validate one it will return with 2 messages:
INFO: The authenticity of host '****' can't be established.\nRSA key fingerprint is ****.\nAre you sure you want to continue connecting?
ERROR: MessagingException Failed to execute on session; nested exception is java.lang.IllegalStateException: failed to create SFTP Session
However: If all unknown keys are accepted, the connection can be established. This might cause people to rather not validate keys because of convenience and would open the door for vulnerabilities.
To Reproduce
Start an SFTP server using ssh-ed25519 based host keys. In my case I'm using the docker image atmoz/sftp.
Connect to the server via sftp cli and accept the key.
Use the known hosts to instantiate a SftRemoteFileTemplate.
Expected behavior
The host key is properly validated and used.
Background information
The reason for this issue is the lack of support for this key type in the JSch library. Furthermore the library seems to be no longer maintained as nobody answers on maintenance requests on the mailing list.
The lack of key type support will be a security issue in the future. More details can also be found here: http://www.matez.de/index.php/2020/06/22/the-future-of-jsch-without-ssh-rsa/
Several forks such as https://github.com/mwiede/jsch have appeared that resolve these issues. Maybe it's possible to swap the dependency while keeping compatibility.