Open Praj777-am opened 3 days ago
Hi @Praj777-am,
It seems that you may be interacting with very old SSH servers that do not RSA/SHA2 signature algorithms and reject authentication due to the initial attempts with rsa-sha2-512
& rsa-sha2-256
(they likely have a max limit on authentication attempts per session).
You likely will want to remove the rsa-sha2-512
& rsa-sha2-256
algorithms from the PubkeyAcceptedAlgorithms
setting in order to interact with these servers.
Thanks, Jeremy
yes, they seem to be quite old, but If I do remove from PubkeyAcceptedAlgorithms
, won't it cause an issue with latest servers which do support rsa-sha2-512 & rsa-sha2-256
? Can't we have both supported at the same time ? either through server config or explicit setting?
Hi @Praj777-am,
The sequence of events that is happening is:
JSch tries rsa-sha2-512
: server rejects it.
JSch then tries rsa-sha2-256
: server rejects it.
Server now rejects any further attempts because of the two previous failures.
There is nothing else JSch can do here: if you want to interact with this particular server, it appears you will need to drop the rsa-sha2-512
& rsa-sha2-256
algorithms.
Thanks, Jeremy
Also for the second instance logs - where I saw
Caused by: com.jcraft.jsch.JSchException: SSH_MSG_DISCONNECT: 11 Permission denied (password,publickey,keyboard-interactive)
at com.jcraft.jsch.Session.read(Session.java:1259) ~[JSch-0.x.jar:?]
How do we know this is due to rsa-sha2-
issue alone? can there be more to this because we don't see rsa-sha2-256 auth failure
?
Hi @norrisjeremy,
For the second one, the SSH_MSG_DISCONNECT: 11 Permission denied (password,publickey,keyboard-interactive)
message appears to be produced by the server.
You would need to troubleshoot that on the server to determine why it is rejecting your session.
Thanks, Jeremy
got it, also can we have a list of supported remote server versions that will work without issue with the latest version of jsch? I see Remote version string: SSH-2.0-SFTP 2.0 Server
or Remote version string: SSH-2.0-9.99 sshlib: 7.0.0.2
, If we can have any pointers or suggestion on what is the version of remote-SFTP for which it works.. that would help us convey our clients to upgrade their versions. is this data available?
Thanks, Praj
Hi @Praj777-am,
We do not maintain such a list. You're welcome to develop one yourself.
Thanks, Jeremy
Hi, I have 2 instance of failures where Jsch [version 0.2.x latest changes] fails to connect with below debug logs indicating issue with password authentication for both cases , but logs don't give exact issue -
where I am using
session.setConfig
to add older algorithms to enable backward compatibility -From logs I dont see clear indication of why the password auth fails? The above issue is not present with Jsch version 0.1.54, I have requested for server logs, but do we have more info on what might cause this?
I also have session.setConfig for preferredAuthenticationType as below - this code works with 0.1.54
Another instance had below logs -