0

I am trying to copy some files from a Windows machine to a Linux machine, which is working fine with JSch so far. I can copy files using StrictHostKeyChecking no or I need to have the known_host file from the Linux machine I copy to. I am using the code for a Java project which should be able to send files automatically to (unknown) Linux machines. I got the username, password, IP and the publickey for the machine. Is there any way to authenticate without the known_host file and via the publickey? Because of security issues I do not want to switch StrictHostKeyChecking to no but then I get "com.jcraft.jsch.JSchException: UnknownHostKey"

FileInputStream fis = null;
JSch jsch = new JSch();

//jsch.setKnownHosts("");
jsch.addIdentity("D:\\Uni\\Arbeit\\remote_id_rsa");
Session session=jsch.getSession(user, host, 22);
session.setPassword(password);
//session.setConfig("StrictHostKeyChecking", "no");
session.connect();
Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
Brave
  • 177
  • 5
  • 15
  • 1
    You don't want to disable host key checking, but you want to connect to a host where you don't have its host key. What role would host key checking serve here? What should jsch do here as a result of the host key check? – Kenster Apr 01 '15 at 15:13
  • The question was if there is a possibility to connect to a machine by not using jsch.setKnownHosts(""); and not turning StrictHostKeyChecking to no. Because I think it's better to demand for the public/private key than the KnownHostFile in the java programm. I'm really new to JSch and the key authentification, maybe it was hard to get what I really want to do. So one more time, I got username, password and the private/public keypair, is it possible to authenticate with these credentials, so that I don't need to copy the KnownHost file? – Brave Apr 05 '15 at 12:10

1 Answers1

0

That does not make sense. Either you know the host public key and you can verify it either using the known_host file or programmatically using:

public void KnownHosts.add(HostKey hostkey, UserInfo userinfo)

(You can access the instance of KnownHosts using Session.getHostKeyRepository())

For more details, see How to resolve Java UnknownHostKey, while using JSch SFTP library?

Or you do not know the host public key, and then you cannot create a secure connection (and the StrictHostKeyChecking=no is your only option).

See my article about verifying the host key to understand, what is it about, and its importance. The article is about WinSCP client, but it's valid in general for any SSH client.

Community
  • 1
  • 1
Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
  • Thanks for your answer. I know the private/public keypair, so that I should be able to create a secure connection. But I do not want to use the KnownHost file. If I got you right I need to do it programmatically then. But I don't get how that is supposed to work. First I get the HostKeyRepository by Session.getHostKeyRepository() and then I add the hostkey by public void KnownHosts.add(HostKey hostkey, UserInfo userinfo). How does the session know there is a new key in the repository then? – Brave Apr 05 '15 at 12:19
  • The [`HostKey` instance holds "host"](http://epaul.github.io/jsch-documentation/javadoc/com/jcraft/jsch/HostKey.html) it's to be used with. If that's what you ask for. – Martin Prikryl Apr 08 '15 at 07:29
  • Thanks again, highly apreciate your support. I use rsa public keypair which should be ok for JSch I think,but when I'm running the following I get an invalid keytype exception `HostKeyRepository repo = jsch.getHostKeyRepository(); File file = new File("D:\\Uni\\Arbeit\\remote_id_rsa"); byte[] HK = Files.readAllBytes(file.toPath()); Session session=jsch.getSession(user, host, 22); session.setPassword(password); HostKey hk = new HostKey("te2342st", HK); repo.add(hk, null); session.connect();` – Brave Apr 08 '15 at 15:38
  • What is `remote_id_rsa`? I'm afraid you are confused or do not understand what different keys are for. A "public keypair" is a nonsense. A keypair contains both public and private key, that's why it is a "pair". Host key repository should include only the public key. While `id_rsa` is a common name given to a private key. Moreover you should not have a server's private key locally, that's a terrible security hole. I would actually say that you have your account private key in the file, not the server's key. Read *my* article [Understanding SSH Key Pairs](http://winscp.net/eng/docs/ssh_keys). – Martin Prikryl Apr 09 '15 at 06:30
  • I actually tried both the User public key and User private key. Indeed I did not know there is another key pair for the host, so that I was stuck there. I read your articles about that and gathered some more informations via google. I am already a bit ashamed to ask you another question. In your article "Where do I get SSH host key fingerprint to authorize the server?" you say that I need the fingerprint, which should be sth like this _6a:de:e0:af:56:f8:0c:04:11:5b:ef:4d:49:ad:09:23_. So if I got you right that's the host public key? Using fingerprint I still get invalid key type exception... – Brave Apr 10 '15 at 12:28
  • The `xx:xx:xx:...` is a host key fingerprint (human readable digest of the key). The JSch `HostKey` needs a full public key. On most Linux servers that use OpenSSH, you will find that in `/root/.ssh/*.pub`. Or use a not-so-secure way to obtain it, as suggested by @Damienknight in his answer. – Martin Prikryl Apr 10 '15 at 12:43
  • Nice I think found the host public key, should be this one _ssh_host_rsa_key.pub_ . There are some other types of the key like dsa or ecdsa but no matter which one I choose I still get the `invalid key type` exception. Is there sth wrong with the code? Because the hostkey should be right now... – Brave Apr 13 '15 at 11:12
  • Your follow-up question: [Creating JSch HostKey instance from a public key in .pub format](http://stackoverflow.com/questions/29604333/creating-jsch-hostkey-instance-from-a-public-key-in-pub-format) – Martin Prikryl Apr 13 '15 at 13:12