“Auth fail” in jsch-0.1.42 with Java 1.4.2

12
votes

I have this simple Java program that uses Jsch to connect to an SFTP server.

The connection fails with an "Auth fail" exception on Java 1.4.2, but it connects flawlessly on Java 1.7.

try {
    JSch jsch = new JSch();

    jsch.setKnownHosts(KNOWN_HOSTS_PATH);
    jsch.addIdentity(PRIVATE_KEY_PATH, PASSPHRASE);

    Session session = jsch.getSession(USERNAME, HOSTNAME, 22);
    session.connect(2500);

    Channel channel = session.openChannel("shell");
    channel.setInputStream(System. in );
    channel.setOutputStream(System.out);
    channel.connect();
} catch (Exception e) {
    e.printStackTrace(System.err);
}

The key I'm using is an ssh-rsa 4096 bit key. The .pub key file exists in the same directory as the private key.

When connecting a logger, I see the following messages before the exception (which occurs on channel.connect();):

INFO: Connecting to <redacted> port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-OpenSSH_5.1p1 Debian-5
INFO: Local version string: SSH-2.0-JSCH-0.1.42
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: arcfour is not available.
INFO: arcfour128 is not available.
INFO: arcfour256 is not available.
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server->client aes128-ctr hmac-md5 none
INFO: kex: client->server aes128-ctr hmac-md5 none
INFO: SSH_MSG_KEXDH_INIT sent
INFO: expecting SSH_MSG_KEXDH_REPLY
INFO: ssh_rsa_verify: signature true
INFO: Host '<redacted>' is known and mathces the RSA host key
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
INFO: Authentications that can continue: password
INFO: Next authentication method: password
INFO: Disconnecting from <redacted> port 22
com.jcraft.jsch.JSchException: Auth fail
        at com.jcraft.jsch.Session.connect(Session.java:452)
        at TestJsch.main(TestJsch.java:19)

When I run the same program with Java 1.7, it says

INFO: Connecting to <redacted> port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-OpenSSH_5.1p1 Debian-5
INFO: Local version string: SSH-2.0-JSCH-0.1.42
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server->client aes128-ctr hmac-md5 none
INFO: kex: client->server aes128-ctr hmac-md5 none
INFO: SSH_MSG_KEXDH_INIT sent
INFO: expecting SSH_MSG_KEXDH_REPLY
INFO: ssh_rsa_verify: signature true
INFO: Host '<redacted>' is known and mathces the RSA host key
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT receivedINFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
INFO: Authentication succeeded (publickey).
Linux <redacted> 2.6.26-2-amd64 #1 SMP Mon Jun 13 16:29:33 UTC 2011 x86_64

<server welcome message follows>

I have installed the Java Cryptography Extensions (JCE) for the 1.4 VM.

What could be the source of that problem?

5
javajsch
did you notice that it skips the publickey authentication and goes straight to password auth? : Authentications that can continue: password - oers
@oers Yes, I did. I have no explanation, other than the assumption that some part of the key authentication fails silently (for example because the key is too long or a precondition was not met) and it skips to the next available method without issuing a warning. "Java 1.4 does not support 4096 bit keys because XYZ" is answer I would be willing to accept (even though I really can't imagine right now that this could be true). - Tomalak
Looking at the UserAuthPublicKey.java from JSch, it looks like this process really does emit little useful information. I suggest compiling JSch from source, and adding more output to that class, so you get an idea as to what's going on, where things fail. - MvG
@MvG I could do that,but digging into a library I know next-to-nothing about doesn't really appeal to me. :/ I've seen the author of Jsch around SO, I was hoping he'd show up. - Tomalak
@Tomalak Looking over the JSch source, UserAuthPublicKey.java and IdentityFile.java actually already include a number of commented out System.err.println() debugging statements, so maybe just re-enabling those would be enough to shed light on why (or at least where) things are failing. - blahdiblah

5 Answers

4
votes

Java has a limitation for using strong crypto algorithm. Check content of $JRE_HOME/lib/security/US_Export_policy.jar and $JRE_HOME/lib/security/local_policy.jar. If you find something like this:

// File: default_local.policy
// Some countries have import limits on crypto strength.
// This policy file is worldwide importable.
grant {
    permission javax.crypto.CryptoPermission "DES", 64;
    permission javax.crypto.CryptoPermission "DESede", *;
    permission javax.crypto.CryptoPermission "RC2", 128,
                   "javax.crypto.spec.RC2ParameterSpec", 128;
    permission javax.crypto.CryptoPermission "RC4", 128;
    permission javax.crypto.CryptoPermission "RC5", 128,
          "javax.crypto.spec.RC5ParameterSpec", *, 12, *;
    permission javax.crypto.CryptoPermission "RSA", 2048;
    permission javax.crypto.CryptoPermission *, 128;
};

Decision is to download and install JCE Unlimited Strength Jurisdiction Policy. Previously, it was located on Sun's site, now I don't know where it can be found.

You can read more in this article

EDIT: After some research, I found my answer was incorrect.

Java 1.4 does not support RSA keys more than 2048 byte length BUG 4524097

3
votes

My problems with jsch have been around permissions. So i would do the following to eliminate them as problems

  1. Make sure you can ssh to the remote on the command line using the generated keys.
  2. Pass in the password and make sure you can get a connection to the remote.
  3. Check the permissions on the directory locally and on the remote good ssh summary.
  4. Try using the local host as a remote.

Failing that download the source code and step though it in a debug session.

1
votes

Have you tried using an Open SSH key? jsch uses Open SSH key formats. You can convert your existing one to an Open SSH format. This is how: Use putty keygen and load your existing key. You may be prompted to enter your password to decrypt it. After that click on the conversions option above and choose the "Export OpenSSH Key". Use this newly generated key in your program above. Hope this helps.

-2
votes

This code works fine...

public class Exec2 {

static String SSH_SERVER_PATH = "localhost";
static String SSH_SERVER_USERNAME = "root";
static String SSH_SERVER_PASSWORD = "root";

public static void main(String[] arg) {
    try {
        JSch jsch = new JSch();
        String host = SSH_SERVER_PATH;
        String user = SSH_SERVER_USERNAME;

        Session session = jsch.getSession(user, host, 22);

        // username and password will be given via UserInfo interface.

        UserInfo ui = new MyUserInfo();
        session.setUserInfo(ui);
        session.connect();

        String command = "uname";

        Channel channel = session.openChannel("exec");
        ((ChannelExec) channel).setCommand(command);

        channel.setInputStream(null);

        ((ChannelExec) channel).setErrStream(System.err);

        InputStream in = channel.getInputStream();

        channel.connect();

        byte[] tmp = new byte[1024];
        while (true) {
            while (in.available() > 0) {
                int i = in.read(tmp, 0, 1024);
                if (i < 0)
                    break;
                System.out.print(new String(tmp, 0, i));
            }
            if (channel.isClosed()) {
                System.out.println("exit-status: " + channel.getExitStatus());
                break;
            }
            try {
                Thread.sleep(1000);
            } catch (Exception ee) {
            }
        }
        channel.disconnect();
        session.disconnect();
    } catch (Exception e) {
        System.out.println(e);
    }
}

public static class MyUserInfo implements UserInfo, UIKeyboardInteractive {

    String passwd;

    public String getPassword() {
        return passwd;
    }

    public boolean promptYesNo(String str) {
        return true;
    }


    public String getPassphrase() {
        return null;
    }

    public boolean promptPassphrase(String message) {
        return true;
    }

    public boolean promptPassword(String message) {
        passwd = SSH_SERVER_PASSWORD;
        return true;
    }

    public void showMessage(String message) {
        System.out.println("message = " + message);
    }

    public String[] promptKeyboardInteractive(String destination,
            String name, String instruction, String[] prompt, boolean[] echo) {
        if (prompt[0].equals("Password: ")){
            String[] response = new String[1];
            response[0] = SSH_SERVER_PASSWORD;
            return response;
        }
        return null;
    }
}
}
-3
votes

public String getPassphrase() { return null; }

public boolean promptPassphrase(String message) {
    return true;
}

public boolean promptPassword(String message) {
    passwd = SSH_SERVER_PASSWORD;
    return true;
}

public void showMessage(String message) {
    System.out.println("message = " + message);