Closed Sai-Srikar closed 1 week ago
Hi @Sai-Srikar,
If you would like us to try and help, then you will need to provide a full copy of JSch logs.
Thanks, Jeremy
hey @norrisjeremy, Sorry for the delay. Please find the logs below.
jschLog=Connecting to xxx.yyy.zz.aa port 22
jschLog=Connection established
jschLog=Remote version string: SSH-2.0-OpenSSH_7.4
jschLog=Local version string: SSH-2.0-JSCH_0.2.16
jschLog=CheckCiphers: chacha20-poly1305@openssh.com
jschLog=CheckKexes: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512
jschLog=CheckSignatures: ssh-ed25519,ssh-ed448
jschLog=SSH_MSG_KEXINIT sent
jschLog=SSH_MSG_KEXINIT received
jschLog=server proposal: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
jschLog=server proposal: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256
jschLog=server proposal: ciphers c2s: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
jschLog=server proposal: ciphers s2c: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
jschLog=server proposal: MACs c2s: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=server proposal: MACs s2c: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=server proposal: compression c2s: none,zlib@openssh.com
jschLog=server proposal: compression s2c: none,zlib@openssh.com
jschLog=server proposal: languages c2s:
jschLog=server proposal: languages s2c:
jschLog=client proposal: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
jschLog=client proposal: host key algorithms: ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
jschLog=client proposal: ciphers c2s: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
jschLog=client proposal: ciphers s2c: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
jschLog=client proposal: MACs c2s: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=client proposal: MACs s2c: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=client proposal: compression c2s: none
jschLog=client proposal: compression s2c: none
jschLog=client proposal: languages c2s:
jschLog=client proposal: languages s2c:
jschLog=kex: algorithm: curve25519-sha256@libssh.org
jschLog=kex: host key algorithm: ssh-rsa
jschLog=kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
jschLog=kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
jschLog=SSH_MSG_KEX_ECDH_INIT sent
jschLog=expecting SSH_MSG_KEX_ECDH_REPLY
jschLog=ssh_rsa_verify: ssh-rsa signature true
jschLog=Permanently added 'xxx.yyy.zz.aa' (RSA) to the list of known hosts.
jschLog=SSH_MSG_NEWKEYS sent
jschLog=SSH_MSG_NEWKEYS received
jschLog=SSH_MSG_SERVICE_REQUEST sent
jschLog=SSH_MSG_EXT_INFO received
jschLog=server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
jschLog=OpenSSH 7.4 detected: adding rsa-sha2-256 & rsa-sha2-512 to server-sig-algs
jschLog=SSH_MSG_SERVICE_ACCEPT received
jschLog=Authentications that can continue: publickey
jschLog=Next authentication method: publickey
jschLog=Disconnecting from xxx.yyy.zz.aa port 22
ERROR:
Caused by: org.apache.commons.vfs2.FileSystemException: Could not connect to SFTP server at "host.name.here".
at org.apache.commons.vfs2.provider.sftp.SftpClientFactory.createConnection(SftpClientFactory.java:252)
at org.apache.commons.vfs2.provider.sftp.SftpFileProvider.doCreateFileSystem(SftpFileProvider.java:96)
... 37 more
Caused by: com.jcraft.jsch.JSchException: Auth fail for methods 'publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive'
at com.jcraft.jsch.Session.connect(Session.java:521)
at com.jcraft.jsch.Session.connect(Session.java:199)
at org.apache.commons.vfs2.provider.sftp.SftpClientFactory.createConnection(SftpClientFactory.java:248)
... 38 more
We were able to authenticate using password with version 0.1.55, but authentication fails with the upgrade to version 2.0.16.
Hi @emmymatt,
You will need to enable debug logging as that is required for getting the missing log messages from the UserAuthPublicKey
class.
Thanks, Jeremy
Got it @norrisjeremy. Let me get back to you with them. Appreciate the quick response!
Hey @norrisjeremy just got the logs with DEBUG log level turned on
jschLog=Connecting to xxx.yyy.zz.aa port 22
jschLog=Connection established
jschLog=Remote version string: SSH-2.0-OpenSSH_7.4
jschLog=Local version string: SSH-2.0-JSCH_0.2.16
jschLog=CheckCiphers: chacha20-poly1305@openssh.com
jschLog=CheckKexes: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512
jschLog=CheckSignatures: ssh-ed25519,ssh-ed448
jschLog=server_host_key proposal before known_host reordering is: ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
jschLog=server_host_key proposal after known_host reordering is: ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
jschLog=SSH_MSG_KEXINIT sent
jschLog=SSH_MSG_KEXINIT received
jschLog=server proposal: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
jschLog=server proposal: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256
jschLog=server proposal: ciphers c2s: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
jschLog=server proposal: ciphers s2c: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
jschLog=server proposal: MACs c2s: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=server proposal: MACs s2c: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=server proposal: compression c2s: none,zlib@openssh.com
jschLog=server proposal: compression s2c: none,zlib@openssh.com
jschLog=server proposal: languages c2s:
jschLog=server proposal: languages s2c:
jschLog=client proposal: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c,kex-strict-c-v00@openssh.com
jschLog=client proposal: host key algorithms: ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
jschLog=client proposal: ciphers c2s: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
jschLog=client proposal: ciphers s2c: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
jschLog=client proposal: MACs c2s: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=client proposal: MACs s2c: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=client proposal: compression c2s: none
jschLog=client proposal: compression s2c: none
jschLog=client proposal: languages c2s:
jschLog=client proposal: languages s2c:
jschLog=kex: algorithm: curve25519-sha256@libssh.org
jschLog=kex: host key algorithm: ssh-rsa
jschLog=kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
jschLog=kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
jschLog=SSH_MSG_KEX_ECDH_INIT sent
jschLog=expecting SSH_MSG_KEX_ECDH_REPLY
jschLog=ssh_rsa_verify: ssh-rsa signature true
jschLog=Permanently added 'xxx.yyy.zz.aa' (RSA) to the list of known hosts.
jschLog=SSH_MSG_NEWKEYS sent
jschLog=SSH_MSG_NEWKEYS received
jschLog=SSH_MSG_SERVICE_REQUEST sent
jschLog=SSH_MSG_EXT_INFO received
jschLog=server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
jschLog=OpenSSH 7.4 detected: adding rsa-sha2-256 & rsa-sha2-512 to server-sig-algs
jschLog=SSH_MSG_SERVICE_ACCEPT received
jschLog=Authentications that can continue: publickey
jschLog=Next authentication method: publickey
jschLog=Disconnecting from xxx.yyy.zz.aa port 22
Unfortunately I could not find any logs from UserAuthPublicKey
class. Could you see if this is enough information for you to proceed on this?
Diff:
jschLog=server_host_key proposal before known_host reordering is: ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
jschLog=server_host_key proposal after known_host reordering is: ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
Hey @norrisjeremy @mwiede following up on this. After setting enable_auth_none in Jsch config (like mentioned in #293), the client is attempting password authentication now, but the authentication still fails.
Debug logs now:
jschLog=Connection established
jschLog=Remote version string: SSH-2.0-OpenSSH_7.4
jschLog=Local version string: SSH-2.0-JSCH_0.2.16
jschLog=CheckCiphers: chacha20-poly1305@openssh.com
jschLog=CheckKexes: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512
jschLog=CheckSignatures: ssh-ed25519,ssh-ed448
jschLog=server_host_key proposal before known_host reordering is: ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
jschLog=server_host_key proposal after known_host reordering is: ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
jschLog=SSH_MSG_KEXINIT sent
jschLog=SSH_MSG_KEXINIT received
jschLog=server proposal: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
jschLog=server proposal: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256
jschLog=server proposal: ciphers c2s: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
jschLog=server proposal: ciphers s2c: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
jschLog=server proposal: MACs c2s: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=server proposal: MACs s2c: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=server proposal: compression c2s: none,zlib@openssh.com
jschLog=server proposal: compression s2c: none,zlib@openssh.com
jschLog=server proposal: languages c2s:
jschLog=server proposal: languages s2c:
jschLog=client proposal: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
jschLog=client proposal: host key algorithms: ssh-rsa,ssh-dss,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
jschLog=client proposal: ciphers c2s: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
jschLog=client proposal: ciphers s2c: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
jschLog=client proposal: MACs c2s: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=client proposal: MACs s2c: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
jschLog=client proposal: compression c2s: none
jschLog=client proposal: compression s2c: none
jschLog=client proposal: languages c2s:
jschLog=client proposal: languages s2c:
jschLog=kex: algorithm: curve25519-sha256@libssh.org
jschLog=kex: host key algorithm: ssh-rsa
jschLog=kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
jschLog=kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none
jschLog=SSH_MSG_KEX_ECDH_INIT sent
jschLog=expecting SSH_MSG_KEX_ECDH_REPLY
jschLog=ssh_rsa_verify: ssh-rsa signature true
jschLog=Permanently added 'xxx.yyy.zz.aa' (RSA) to the list of known hosts.
jschLog=SSH_MSG_NEWKEYS sent
jschLog=SSH_MSG_NEWKEYS received
jschLog=SSH_MSG_SERVICE_REQUEST sent
jschLog=SSH_MSG_EXT_INFO received
jschLog=server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
jschLog=OpenSSH 7.4 detected: adding rsa-sha2-256 & rsa-sha2-512 to server-sig-algs
jschLog=SSH_MSG_SERVICE_ACCEPT received
jschLog=Authentications that can continue: password,publickey
jschLog=Next authentication method: password
jschLog=Authentications that can continue: publickey
jschLog=Next authentication method: publickey
jschLog=Disconnecting from xxx.yyy.zz.aa port 22
Any insight would be appreciated! thank you! cc: @Sai-Srikar
Hi @emmymatt,
Your server doesn't appear to allow password based authentication, it only allows publickey based authentication.
Thanks, Jeremy
Hello @norrisjeremy sorry, had to make an update to the logs. We are able to do password auth with the same credentials using Jsch@0.1.55 as Srikar has mentioned, but we are facing the issue with the upgraded version (2.0.16)
Hi @emmymatt,
If you know that you want to only perform password authentication, then I'd suggest simply instructing JSch to not bother attempting publickey auth. See https://github.com/mwiede/jsch/issues/608#issuecomment-2261755993.
Thanks, Jeremy
@norrisjeremy Unfortunately we can not disable public key authentication. We need to support both. Is there anything else I can get you which would help us proceed on this?
Also, could you confirm that when we attempt authentication with password credential and it happens to enter UserAuthPublicKey
class, would it return from this line in all cases?
Hi @emmymatt,
The problem is that you have RSA keys (identities) added to your JSch session that aren't authorized on the server. So it is attempting to perform three failed RSA authentications (one each for ssh-rsa, rsa-sha2-256, rsa-sha2-512). And the server also has a max failed authentication limit, so it will disconnect your session after it fails three publickey authetnications. So you either need to not add RSA keys (identities) to your JSch session when connecting to this server, or not attempt publickey authentication as I noted previously.
Thanks, Jeremy
Noted @norrisjeremy,
So it is attempting to perform three failed RSA authentications (one each for ssh-rsa, rsa-sha2-256, rsa-sha2-512
Could you give me more insight on how you concluded this from the debug logs?
Apologies in advance if this is a silly question. Shouldn't we have seen this log during these three public key attempts? Also, from the latest logs my understanding is that the client does attempt password authentication first but fails and then moves on to public key authentication. Why might this be happening?
Hi @emmymatt,
No, it never attempted password authentication. It attempted publickey only which failed and the server then disconnected you:
jschLog=server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
jschLog=OpenSSH 7.4 detected: adding rsa-sha2-256 & rsa-sha2-512 to server-sig-algs
jschLog=SSH_MSG_SERVICE_ACCEPT received
jschLog=Authentications that can continue: publickey
jschLog=Next authentication method: publickey
jschLog=Disconnecting from xxx.yyy.zz.aa port 22
Thanks, Jeremy
Hey @norrisjeremy could you please look at logs in this message as well? We set enable_auth_none
to no
here so the client attempts password. But it fails anyway.
Thanks in advance!
Hi @emmymatt,
The enable_auth_none
setting has nothing to do with whether or not the client attempts password authentication, and I'd suggest leaving it enabled.
I'm also done engaging with you on this, as I've told you repeatedly how to remedy this problem and you seem uninterested in following the advice given.
Thanks, Jeremy
Thanks for the help @norrisjeremy. Will go through the messages again with my teammates tomorrow to see what I missed here.
HI
We are in the porcess of upgrading our jsch version from 0.1.55 to 0.2.16
Here we have seen one issue where for the password authentication is working fine on the lower version but failing on the updated version.
On the updated version i am getting following JSCH log
It's never trying the password authentication even though i have set it explicitly like below
session.setConfig("PreferredAuthentications", "password,publickey");
Can you please help me with this