I'm running MacOs, Springboot 2.6.7 and mwiede:jsch:0.2.5 (according to a '.gradlew dependencies' command) and I'm trying to connect to an old customer SFTP server.
I have generated an SSH key pair and the public key have been installed on the server.
To verify that the keys worked I can run following shell command:
sftp -v -oHostKeyAlgorithms=ssh-dss -i <Full path to key file> <ssh username>@<ip address>
Which gives the following log:
.ssh % sftp -vvv -oHostKeyAlgorithms=ssh-dss -i /Users/XXX/.ssh/id_rsa <username>@<IP>
OpenSSH_8.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: resolve_canonicalize: hostname <IP> is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/<XXX>/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/<XXX>/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: ssh_connect_direct: entering
debug1: Connecting to <IP> [<IP>] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /Users/<XXX>/.ssh/id_rsa_cloud-integration_test type 0
debug1: identity file /Users/<XXX>/.ssh/id_rsa_cloud-integration_test-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version 9.99 sshlib
debug1: compat_banner: no match: 9.99 sshlib
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to <IP>:22 as '<username>'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-dss
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-dss
debug2: ciphers ctos: aes256-ctr,twofish256-ctr,twofish-ctr,aes128-ctr,twofish128-ctr,3des-ctr,cast128-ctr,aes256-cbc,twofish256-cbc,twofish-cbc,aes128-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
debug2: ciphers stoc: aes256-ctr,twofish256-ctr,twofish-ctr,aes128-ctr,twofish128-ctr,3des-ctr,cast128-ctr,aes256-cbc,twofish256-cbc,twofish-cbc,aes128-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
debug2: MACs ctos: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: zlib,none
debug2: compression stoc: zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-dss
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_DH_GEX_GROUP received
debug2: bits set: 1070/2048
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: receive packet: type 33
debug1: SSH2_MSG_KEX_DH_GEX_REPLY received
debug1: Server host key: ssh-dss SHA256:/BtDJ1DxsTK3GWkcwAc7bJL/DwnCwjLnJt9/qgvqKEg
debug3: record_hostkey: found key type DSA in file /Users/<XXX>/.ssh/known_hosts:24
debug3: load_hostkeys_file: loaded 1 keys from <IP>
debug1: load_hostkeys: fopen /Users/<XXX>/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '<IP>' is known and matches the DSA host key.
debug1: Found key in /Users/<XXX>/.ssh/known_hosts:24
debug2: bits set: 1020/2048
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /Users/<XXX>/.ssh/id_rsa_cloud-integration_test RSA SHA256:dEljro/wx66trJGaFWgSMwL8fiGqGEzkw+1iAZVbQAw explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/<XXX>/.ssh/id_rsa_cloud-integration_test RSA SHA256:dEljro/wx66trJGaFWgSMwL8fiGqGEzkw+1iAZVbQAw explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /Users/<XXX>/.ssh/id_rsa_cloud-integration_test RSA SHA256:dEljro/wx66trJGaFWgSMwL8fiGqGEzkw+1iAZVbQAw explicit
debug3: sign_and_send_pubkey: RSA SHA256:dEljro/wx66trJGaFWgSMwL8fiGqGEzkw+1iAZVbQAw
debug3: sign_and_send_pubkey: signing using ssh-rsa SHA256:dEljro/wx66trJGaFWgSMwL8fiGqGEzkw+1iAZVbQAw
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to <IP> ([<IP>]:22).
debug2: fd 4 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: set_sock_tos: set socket 3 IP_TOS 0x20
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug3: Ignored env TERM_SESSION_ID
debug3: Ignored env SSH_AUTH_SOCK
debug1: channel 0: setting env LC_TERMINAL_VERSION = "3.4.19"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env COLORFGBG
debug3: Ignored env ITERM_PROFILE
debug3: Ignored env XPC_FLAGS
debug3: Ignored env PWD
debug3: Ignored env SHELL
debug3: Ignored env __CFBundleIdentifier
debug3: Ignored env SECURITYSESSIONID
debug1: channel 0: setting env LC_CTYPE = "UTF-8"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env TERM_PROGRAM_VERSION
debug3: Ignored env TERM_PROGRAM
debug3: Ignored env PATH
debug1: channel 0: setting env LC_TERMINAL = "iTerm2"
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env COLORTERM
debug3: Ignored env COMMAND_MODE
debug3: Ignored env TERM
debug3: Ignored env HOME
debug3: Ignored env TMPDIR
debug3: Ignored env USER
debug3: Ignored env XPC_SERVICE_NAME
debug3: Ignored env LOGNAME
debug3: Ignored env LaunchInstanceID
debug3: Ignored env ITERM_SESSION_ID
debug3: Ignored env __CF_USER_TEXT_ENCODING
debug3: Ignored env SHLVL
debug3: Ignored env OLDPWD
debug3: Ignored env JENV_SHELL
debug3: Ignored env JENV_LOADED
debug3: Ignored env _
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 16384 rmax 35840
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: subsystem request accepted on channel 0
debug2: Remote version: 3
Connected to <IP>.
debug3: Sent message fd 3 T:16 I:1
debug3: SSH_FXP_REALPATH . -> /Home/<username> size 0
sftp>
And I'm connecting without problems and without password - I also tried FileZilla which works fine.
But when im trying to connect with my springboot application I'm getting an error:
JSchException: Auth fail for methods 'publickey,password'
I point to the key file with same full path as with shell.
My Java class code is very simple and straight forward:
JSch jsch = new JSch();
jsch.setKnownHosts("/Users/<user>/.ssh/known_hosts");
jsch.addIdentity("<full path to key file>");
Session session = jsch.getSession(sshUserName, host, 22);
session.setTimeout(5000);
java.util.Properties config = new java.util.Properties();
config.put("StrictHostKeyChecking", "no");
config.put("server_host_key", "ssh-dss");
config.put("trust", "yes");
session.setConfig(config);
session.connect();
if (session.isConnected()) {
log.info("Connected to host [{}]", host);
} else {
log.error("Unable to connect to host [{}]", host);
return;
}
//Setup transfer channel and upload file
ChannelSftp sftp = (ChannelSftp) session.openChannel("sftp");
.... other code to list files and upload etc ....
JSCHLogger : Connecting to <IP> port 22
JSCHLogger : Connection established
JSCHLogger : Remote version string: SSH-2.0-9.99 sshlib
JSCHLogger : Local version string: SSH-2.0-JSCH_0.2.5
JSCHLogger : CheckCiphers: [email protected]
JSCHLogger : CheckKexes: curve25519-sha256,[email protected],curve448-sha512
JSCHLogger : CheckSignatures: ssh-ed25519,ssh-ed448
JSCHLogger : server_host_key proposal before known_host reordering is: ssh-dss
JSCHLogger : server_host_key proposal after known_host reordering is: ssh-dss
JSCHLogger : SSH_MSG_KEXINIT sent
JSCHLogger : SSH_MSG_KEXINIT received
JSCHLogger : kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
JSCHLogger : kex: server: ssh-dss
JSCHLogger : kex: server: aes256-ctr,twofish256-ctr,twofish-ctr,aes128-ctr,twofish128-ctr,3des-ctr,cast128-ctr,aes256-cbc,twofish256-cbc,twofish-cbc,aes128-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
JSCHLogger : kex: server: aes256-ctr,twofish256-ctr,twofish-ctr,aes128-ctr,twofish128-ctr,3des-ctr,cast128-ctr,aes256-cbc,twofish256-cbc,twofish-cbc,aes128-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
JSCHLogger : kex: server: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
JSCHLogger : kex: server: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
JSCHLogger : kex: server: zlib,none
JSCHLogger : kex: server: zlib,none
JSCHLogger : kex: server:
JSCHLogger : kex: server:
JSCHLogger : kex: client: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
JSCHLogger : kex: client: ssh-dss
JSCHLogger : kex: client: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
JSCHLogger : kex: client: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
JSCHLogger : kex: client: [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
JSCHLogger : kex: client: [email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
JSCHLogger : kex: client: none
JSCHLogger : kex: client: none
JSCHLogger : kex: client:
JSCHLogger : kex: client:
JSCHLogger : kex: algorithm: diffie-hellman-group-exchange-sha256
JSCHLogger : kex: host key algorithm: ssh-dss
JSCHLogger : kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
JSCHLogger : kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
JSCHLogger : SSH_MSG_KEX_DH_GEX_REQUEST(2048<3072<8192) sent
JSCHLogger : expecting SSH_MSG_KEX_DH_GEX_GROUP
JSCHLogger : SSH_MSG_KEX_DH_GEX_INIT sent
JSCHLogger : expecting SSH_MSG_KEX_DH_GEX_REPLY
JSCHLogger : ssh_dss_verify: signature true
JSCHLogger : Host '<IP>' is known and matches the DSA host key
JSCHLogger : SSH_MSG_NEWKEYS sent
JSCHLogger : SSH_MSG_NEWKEYS received
JSCHLogger : SSH_MSG_SERVICE_REQUEST sent
JSCHLogger : SSH_MSG_SERVICE_ACCEPT received
JSCHLogger : Authentications that can continue: publickey,keyboard-interactive,password
JSCHLogger : Next authentication method: publickey
JSCHLogger : PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
JSCHLogger : No server-sig-algs found, using PubkeyAcceptedAlgorithms = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256]
JSCHLogger : rsa-sha2-512 preauth success
JSCHLogger : rsa-sha2-512 auth failure
JSCHLogger : Authentications that can continue: password
JSCHLogger : Next authentication method: password
JSCHLogger : Disconnecting from <IP> port 22
JavaClass : Unable to establish connection to host [<IP>] with cause [null] and message [Auth fail for methods 'publickey,password']
[nio-8080-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.RuntimeException: java.io.IOException: com.jcraft.jsch.JSchException: Auth fail for methods 'publickey,password'] with root cause
I learned that I needed to set the server_host_key to ssh-dss both in the terminal and in the Java code. But in Java it only brings my a bit further.
Any ideas would be highly appreciated
Try preventing JSch from using rsa-sha2-512:
config.put("PubkeyAcceptedAlgorithms", "ssh-rsa");
And to make it use ssh-dss hostkey:
config.put("server_host_key", "ssh-dss");
See also JSchException: Auth fail on Ubuntu 22.04.
Obligatory warning: Do not use StrictHostKeyChecking=no to blindly accept all host keys. That is a security flaw. You lose a protection against MITM attacks. For the correct (and secure) approach, see: How to resolve Java UnknownHostKey, while using JSch SFTP library?