search

mwiede / jsch

fork of the popular jsch library
Other
758 stars 143 forks source link

Auth fail for method 'publicKey' #405

Open kirandasika0 opened 1 year ago

kirandasika0 commented 1 year ago

Hi, I'm running into this issue when trying to establish an SSH connection to my server. Can someone explain why this seems to be in jsch 0.2.11?

How I build my identity:

jsch.addIdentity(UUID.randomUUID().toString(), decodedSshKey, null, null);

image Logs:

message
Connecting to <serveR> port 2200
Connection established
Remote version string: SSH-2.0-OpenSSH_8.0
Local version string: SSH-2.0-JSCH_0.2.11
CheckCiphers: chacha20-poly1305@openssh.com
"CheckKexes: curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512"
"CheckSignatures: ssh-ed25519,ssh-ed448"
"server_host_key proposal before known_host reordering is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256"
"server_host_key proposal after known_host reordering is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256"
SSH_MSG_KEXINIT sent
SSH_MSG_KEXINIT received
"server proposal: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,curve25519-sha256,curve25519-sha256@libssh.org"
"server proposal: host key algorithms: rsa-sha2-512,rsa-sha2-256"
"server proposal: ciphers c2s: aes256-ctr,aes192-ctr,aes128-ctr"
"server proposal: ciphers s2c: aes256-ctr,aes192-ctr,aes128-ctr"
"server proposal: MACs c2s: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
"server proposal: MACs s2c: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"
"server proposal: compression c2s: none,zlib@openssh.com"
"server proposal: compression s2c: none,zlib@openssh.com"
server proposal: languages c2s: 
server proposal: languages s2c: 
"client proposal: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c"
"client proposal: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256"
"client proposal: ciphers c2s: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com"
"client proposal: ciphers s2c: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com"
"client proposal: MACs c2s: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"
"client proposal: MACs s2c: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"
client proposal: compression c2s: none
client proposal: compression s2c: none
client proposal: languages c2s: 
client proposal: languages s2c: 
kex: algorithm: curve25519-sha256
kex: host key algorithm: rsa-sha2-512
kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
SSH_MSG_KEX_ECDH_INIT sent
expecting SSH_MSG_KEX_ECDH_REPLY
ssh_rsa_verify: rsa-sha2-512 signature true
Permanently added '[<server>]:2200' (RSA) to the list of known hosts.
SSH_MSG_NEWKEYS sent
SSH_MSG_NEWKEYS received
SSH_MSG_SERVICE_REQUEST sent
SSH_MSG_EXT_INFO received
"server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>"
SSH_MSG_SERVICE_ACCEPT received
"Authentications that can continue: publickey,keyboard-interactive,password"
Next authentication method: publickey
"PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256"
"PubkeyAcceptedAlgorithms in server-sig-algs = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256]"
rsa-sha2-512 preauth failure
rsa-sha2-256 preauth failure
Disconnecting from <server> port 2200
norrisjeremy commented 1 year ago

HI @kirandasika30,

The server does not appear to recognize your SSH key so it authentication fails. You should confirm that your SSH key is correctly added to the authorized_keys file for the user account on the server.

Thanks, Jeremy

kirandasika0 commented 1 year ago

Hi @norrisjeremy, Thank you for getting back. I've double checked that the key was added to server properly. The issue stems from the fact that the server disabled the use of ssh-rsa signature algorithm. But, the server only accepts public key types prefixed with ssh-rsa. I tried adding the ssh-rsa key type as one of the PubkeyAcceptedAlgorithms but it still seems to show the same error.

norrisjeremy commented 1 year ago

Hi @kirandasika30,

I'm not sure what other assistance I can provide: the log messages you provided indicate the server has rejected your SSH key, so it either isn't correctly added on the server or the server has disabled the use of the rsa-sha2-512 & rsa-sha2-256 signature algorithms. Perhaps you can try to investigate log messages on the server end to better understand why this failure is occurring?

Thanks, Jeremy

kirandasika0 commented 1 year ago

Hi, I was able get some logs from the server. But, they don't point to any obvious error.

com.jcraft.jsch.JSchException: Auth fail for methods 'publickey' [preauth]

Any idea why this exception might be triggered?

norrisjeremy commented 1 year ago

Hi @kirandasika30,

All I can state is based upon the information that you have provided, the server has rejected your SSH key. This would lead me to conclude that your key is not actually properly added on the server for the user account which you are attempting to use.

Thanks, Jeremy

kirandasika0 commented 1 year ago

Hi @norrisjeremy , Thanks for getting back. The ssh-rsa key type was deprecated causing the error. Unfortunately, I don't have much control over the server side to provide you any logs.

Have you seen this scenario play out where the library has issues in containers specifically Azul JDK but work normally when running on a regular VM?

norrisjeremy commented 1 year ago

Hi @kirandasika30,

I don't know why you would be having issues with your containers. All I can state is the log messages you have provided indicate indicate the server is not accepting your public key, which would seem to indicate that the key has not been added for the user account which you are attempting to use.

Thanks, Jeremy

souhailharrati commented 7 months ago

You can use this solution:

  1. add the remote IP address or hostname into the ~/.ssh/known_hosts ssh-keyscan -t rsa <HOST_NAME> >> ~/.ssh/known_hosts ssh-keyscan -t rsa <IP_ADDRESS_OF_HOST_NAME> >> ~/.ssh/known_hosts

  2. load file known_hosts jsch.setKnownHosts(new FileInputStream(knowHosts));

  3. get session and add PreferredAuthentications Session jschSession = jsch.getSession(username, remoteHost, port); jschSession.setConfig("PreferredAuthentications", "publickey");

  4. add identity jsch.addIdentity(pathPrivateKey, passphrase);

  5. add configuration to set algo rsa Properties config = new Properties(); config.put("PubkeyAcceptedKeyTypes", "ssh-rsa"); config.put("HostKeyAlgorithms", "ssh-rsa"); jschSession.setConfig(config);

  6. add session timeout and open channel jschSession.connect(SESSION_TIMEOUT); ChannelSftp channel = (ChannelSftp) jschSession.openChannel("sftp");