search

mwiede / jsch

fork of the popular jsch library
Other
756 stars 143 forks source link

Permission denied (publickey). #650

Closed manuelvelez closed 2 months ago

manuelvelez commented 2 months ago

When trying to execute a command on a remote shell using jsch I'm getting a permission denied.

Jsch version: 0.2.19 Java Version: openjdk-17.0.2 Remote host OS: ubuntu 22.04.3 LTS OpenSsh version: penSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022

`

    JSch jsch = new JSch();
    jsch.addIdentity(key);
    Session session = jsch.getSession(user, host);
    session.setConfig("StrictHostKeyChecking", "no");
    session.connect();
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    ChannelShell channel = (ChannelShell) session.openChannel("shell");
    channel.setOutputStream(outputStream);
    channel.setAgentForwarding(true);
    PrintStream ps = new PrintStream(channel.getOutputStream(), true, UTF_8);
    channel.connect();
    ps.println("ssh analytics -vvvvvv ls -lart");
    ps.flush();
    outputStream.close();
    System.out.println("output= " + outputStream.toString(UTF_8));
    System.out.println("result= " + channel.getExitStatus());
    channel.disconnect();
    session.disconnect();

` Relevant debug output:

debug2: resolving "analytics" port 22 debug3: resolve_host: lookup analytics:22 debug3: ssh_connect_direct: entering debug1: Connecting to analytics [10.215.57.74] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x10 debug1: Connection established. .... debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 debug1: compat_banner: match: OpenSSH_8.9p1 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to analytics:22 as 'suite-test' debug3: record_hostkey: found key type ED25519 in file /home/suite-test/.ssh/known_hosts:28 debug3: load_hostkeys_file: loaded 1 keys from analytics .... debug2: get_agent_identities: ssh_agent_bind_hostkey: agent refused operation debug1: get_agent_identities: ssh_fetch_identitylist: agent refused operation debug1: Will attempt key: /tmp/ssh.tmp.58atRsnaZD/ssh.tmp.faw7HnjYSW RSA SHA256:PVOhltgOKIAgSo3pm/DLzOop8NumC0eVe+DsIMazoC0 explicit debug1: Will attempt key: /tmp/ssh.tmp.58atRsnaZD/ssh.tmp.LyqiCKThqJ RSA SHA256:JPbgmou7IK2dupL3T34WPkhdfCHWwAtIfEoWOwWoSdU explicit debug1: Will attempt key: /tmp/ssh.tmp.58atRsnaZD/ssh.tmp.3mBF5w07kK RSA SHA256:k6NfoLJX9o8comcKc528eAUp+GBKsXaqmtKzWvyd/F0 explicit debug1: Will attempt key: /tmp/ssh.tmp.58atRsnaZD/ssh.tmp.iELIJN7Pf0 RSA SHA256:X/QAUGXvF++Z3c/RISMzQErrt2/bZZj3wGRotAEKn0E explicit debug1: Will attempt key: /tmp/ssh.tmp.58atRsnaZD/ssh.tmp.73fByLJfvu RSA SHA256:uLsRkClk5Sxrz1DsJaam+0FO6XgIxekoZGyDZxFSOy4 explicit debug1: Will attempt key: /tmp/ssh.tmp.58atRsnaZD/ssh.tmp.2JKwgEPyj2 RSA SHA256:MzrBqJtwnmF5fSJKbolfPYaCz2J4+cXG412tfB6W4Uw explicit ..... debug1: Next authentication method: publickey debug1: Offering public key: /tmp/ssh.tmp.58atRsnaZD/ssh.tmp.faw7HnjYSW RSA SHA256:PVOhltgOKIAgSo3pm/DLzOop8NumC0eVe+DsIMazoC0 explicit debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: /tmp/ssh.tmp.58atRsnaZD/ssh.tmp.faw7HnjYSW RSA SHA256:PVOhltgOKIAgSo3pm/DLzOop8NumC0eVe+DsIMazoC0 explicit debug3: sign_and_send_pubkey: using publickey-hostbound-v00@openssh.com with RSA SHA256:PVOhltgOKIAgSo3pm/DLzOop8NumC0eVe+DsIMazoC0 debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:PVOhltgOKIAgSo3pm/DLzOop8NumC0eVe+DsIMazoC0 Load key "/tmp/ssh.tmp.58atRsnaZD/ssh.tmp.faw7HnjYSW": error in libcrypto .... debug2: we did not send a packet, disable method debug1: No more authentication methods to try. suite-test@analytics: Permission denied (publickey). [DEBUG] [suite-test] Cleanup

If I try to manually log in the remote host via ssh (using the same id_rsa key) and execute the command, everything works properly.

What am I missing? are there some missing or flaky config on my side? for the Open Ssh version that I'm using I need to add further code?

Thanks in advance for your help

norrisjeremy commented 2 months ago

Hi @manuelvelez,

If you would like our assistance, then please enable debug level logging for JSch and provide a full copy of those logs, as well as any exception messages & stack traces from JSch that you application is generating. Otherwise, we are unable to assist you.

Thanks, Jeremy

manuelvelez commented 2 months ago

Morning, @norrisjeremy

Here we have the logs:

INFO: Connecting to redacted_ip port 22 INFO: Connection established INFO: Remote version string: SSH-2.0-OpenSSH_8.9p1 INFO: Local version string: SSH-2.0-JSCH_0.2.19 INFO: CheckCiphers: chacha20-poly1305@openssh.com INFO: CheckKexes: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512 INFO: sntrup761x25519-sha512@openssh.com is not available. DEBUG: kex proposal before removing unavailable algos is: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 DEBUG: kex proposal after removing unavailable algos is: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 INFO: CheckSignatures: ssh-ed25519,ssh-ed448 DEBUG: server_host_key proposal before known_host reordering is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256 DEBUG: server_host_key proposal after known_host reordering is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256 INFO: SSH_MSG_KEXINIT sent INFO: SSH_MSG_KEXINIT received INFO: Doing strict KEX INFO: server proposal: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,kex-strict-s-v00@openssh.com INFO: server proposal: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 INFO: server proposal: ciphers c2s: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr INFO: server proposal: ciphers s2c: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr INFO: server proposal: MACs c2s: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com INFO: server proposal: MACs s2c: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com INFO: server proposal: compression c2s: none,zlib@openssh.com INFO: server proposal: compression s2c: none,zlib@openssh.com INFO: server proposal: languages c2s: INFO: server proposal: languages s2c: INFO: client proposal: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com INFO: client proposal: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256 INFO: client proposal: ciphers c2s: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com INFO: client proposal: ciphers s2c: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com INFO: client proposal: MACs c2s: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 INFO: client proposal: MACs s2c: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 INFO: client proposal: compression c2s: none INFO: client proposal: compression s2c: none INFO: client proposal: languages c2s: INFO: client proposal: languages s2c: INFO: kex: algorithm: curve25519-sha256@libssh.org INFO: kex: host key algorithm: ssh-ed25519 INFO: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none INFO: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256-etm@openssh.com compression: none INFO: SSH_MSG_KEX_ECDH_INIT sent INFO: expecting SSH_MSG_KEX_ECDH_REPLY INFO: ssh_eddsa_verify: ssh-ed25519 signature true WARN: Permanently added 'redacted_ip' (EDDSA) to the list of known hosts. INFO: Reset outgoing sequence number after sending SSH_MSG_NEWKEYS for strict KEX INFO: SSH_MSG_NEWKEYS sent INFO: SSH_MSG_NEWKEYS received INFO: Reset incoming sequence number after receiving SSH_MSG_NEWKEYS for strict KEX INFO: SSH_MSG_SERVICE_REQUEST sent INFO: SSH_MSG_EXT_INFO received INFO: server-sig-algs=ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com INFO: SSH_MSG_SERVICE_ACCEPT received INFO: Authentications that can continue: publickey,keyboard-interactive,password INFO: Next authentication method: publickey DEBUG: PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256 DEBUG: PubkeyAcceptedAlgorithms in server-sig-algs = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256] DEBUG: rsa-sha2-512 preauth success DEBUG: rsa-sha2-512 auth success INFO: Authentication succeeded (publickey). INFO: Disconnecting from redacted_ip port 22 INFO: Caught an exception, leaving main loop due to Socket closed

It says "Caught an exception" but I don't get to have further information.

Some pieces of the actual output of my code are:

ssh analytics ls -lart Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.070Gx6n2FQ": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.HLApgghU01": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.JKJY206MyG": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.gQvNM0DPOb": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.zK5XfqBv6j": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.kt2HESoJMZ": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.4giVbjmtHM": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.md9Tk3DQYY": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.LXQNEX0ATm": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.fU0S3du0T4": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.hmgOcZRTRw": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.nKiyASsMcL": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.jCr2v0iHQq": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.Rhux0VT4XG": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.TOzH9XkwYv": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.oAuXWxB3DO": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.ugNXIhhfBH": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.5AEA28MsPW": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.xZwCb74G6m": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.nXgcDcrhDh": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.zXtimwCBLj": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.WAimqqH5jB": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.FJcM1g9iDp": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.w9iivbdign": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.yPvSxRUjYQ": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.izA9Gdp4lx": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.FCLO1lJNv9": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.RhHJg7AJbr": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.i7VMdxVH4f": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.YHgW1aAavF": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.ObbAaL1qsQ": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.amInByuL6J": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.2atSeLt8KA": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.STfeAzfhhT": error in libcrypto Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.pHZ1bjfIz2": error in libcrypto suite-test@analytics: Permission denied (publickey).

norrisjeremy commented 2 months ago

Hi @manuelvelez,

I'm not seeing any errors or issues from the logs you provided: JSch is able to login successfully:

INFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
DEBUG: PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
DEBUG: PubkeyAcceptedAlgorithms in server-sig-algs = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256]
DEBUG: rsa-sha2-512 preauth success
DEBUG: rsa-sha2-512 auth success
...

Additionally, I do not see any permission denied errors in any of the JSch logs, so I can only conclude that this is some sort of OS permission issue you would need to take up with the operator of this server and nothing to do with JSch.

Thanks, Jeremy

norrisjeremy commented 2 months ago

Hi @manuelvelez,

This output you claim comes from your application:

ssh analytics ls -lart
Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.070Gx6n2FQ": error in libcrypto
...
Load key "/tmp/ssh.tmp.rQjXrGNolX/ssh.tmp.pHZ1bjfIz2": error in libcrypto
suite-test@analytics: Permission denied (publickey).

That is not any sort of error from JSch, that appears to be an error generated by the ssh CLI command. I'm not really sure why you are opening an issue here about this, since this has nothing to do with JSch.

Thanks, Jeremy

manuelvelez commented 2 months ago

Thank you for the quick response, @norrisjeremy

I'm closing the issue.

have a nice day