1

I have an SFTPHelper class that creates an jsch session the following way

public SFTPHelper(final String user, final String host, final int port) throws JSchException
{       
    JSch.setLogger(new SftpLogger());

    try 
    {
        session = jsch.getSession(user, host, port);
    } 
    catch(JSchException e) 
    {
        LOG.error("Cannot get session for {}@{}:{}", user,host,port);
        throw e;
    }

    Properties config = new Properties();
    config.put("StrictHostKeyChecking", "yes");
    session.setConfig(config);
}

public SFTPHelper(final String user, final String host, final int port, final File privateKey) throws JSchException
{
    this(user, host, port);

    checkNotNull(privateKey, "Null privateKey");
    checkArgument(privateKey.exists(), "privateKey file does not exist");

    jsch.addIdentity(privateKey.getAbsolutePath());
}

The second constructor adds a private key.

I have two different unit test classes which both at one point do this:

        final String host = "hostname";
        final int port = 22;
        final String user = "username";
        final File privKey = new File("/path/to/.ssh/privateKey");
        /* do something with SFTPHelper */

... but one of the tests fails to authenticate with the host. These are the two different logs

Working:

     INFO [main] (SFTPHelper.java:298) - Connecting to <host> port 22
 INFO [main] (SFTPHelper.java:298) - Connection established
 INFO [main] (SFTPHelper.java:298) - Remote version string: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
 INFO [main] (SFTPHelper.java:298) - Local version string: SSH-2.0-JSCH-0.1.54
 INFO [main] (SFTPHelper.java:298) - CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
 INFO [main] (SFTPHelper.java:298) - aes256-ctr is not available.
 INFO [main] (SFTPHelper.java:298) - aes192-ctr is not available.
 INFO [main] (SFTPHelper.java:298) - aes256-cbc is not available.
 INFO [main] (SFTPHelper.java:298) - aes192-cbc is not available.
 INFO [main] (SFTPHelper.java:298) - CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 INFO [main] (SFTPHelper.java:298) - CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
 INFO [main] (SFTPHelper.java:298) - SSH_MSG_KEXINIT sent
 INFO [main] (SFTPHelper.java:298) - SSH_MSG_KEXINIT received
 INFO [main] (SFTPHelper.java:298) - kex: server: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
 INFO [main] (SFTPHelper.java:298) - kex: server: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
 INFO [main] (SFTPHelper.java:298) - kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
 INFO [main] (SFTPHelper.java:298) - kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
 INFO [main] (SFTPHelper.java:298) - kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
 INFO [main] (SFTPHelper.java:298) - kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
 INFO [main] (SFTPHelper.java:298) - kex: server: none,zlib@openssh.com
 INFO [main] (SFTPHelper.java:298) - kex: server: none,zlib@openssh.com
 INFO [main] (SFTPHelper.java:298) - kex: server:
 INFO [main] (SFTPHelper.java:298) - kex: server:
 INFO [main] (SFTPHelper.java:298) - kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
 INFO [main] (SFTPHelper.java:298) - kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
 INFO [main] (SFTPHelper.java:298) - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
 INFO [main] (SFTPHelper.java:298) - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
 INFO [main] (SFTPHelper.java:298) - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
 INFO [main] (SFTPHelper.java:298) - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
 INFO [main] (SFTPHelper.java:298) - kex: client: none
 INFO [main] (SFTPHelper.java:298) - kex: client: none
 INFO [main] (SFTPHelper.java:298) - kex: client:
 INFO [main] (SFTPHelper.java:298) - kex: client:
 INFO [main] (SFTPHelper.java:298) - kex: server->client aes128-ctr hmac-sha1 none
 INFO [main] (SFTPHelper.java:298) - kex: client->server aes128-ctr hmac-sha1 none
 INFO [main] (SFTPHelper.java:298) - SSH_MSG_KEX_ECDH_INIT sent
 INFO [main] (SFTPHelper.java:298) - expecting SSH_MSG_KEX_ECDH_REPLY
 INFO [main] (SFTPHelper.java:298) - ssh_rsa_verify: signature true
 WARN [main] (SFTPHelper.java:298) - Permanently added '<host>' (RSA) to the list of known hosts.
 INFO [main] (SFTPHelper.java:298) - SSH_MSG_NEWKEYS sent
 INFO [main] (SFTPHelper.java:298) - SSH_MSG_NEWKEYS received
 INFO [main] (SFTPHelper.java:298) - SSH_MSG_SERVICE_REQUEST sent
 INFO [main] (SFTPHelper.java:298) - SSH_MSG_SERVICE_ACCEPT received
 INFO [main] (SFTPHelper.java:298) - Authentications that can continue: publickey,keyboard-interactive,password
 INFO [main] (SFTPHelper.java:298) - Next authentication method: publickey
 INFO [main] (SFTPHelper.java:298) - Authentication succeeded (publickey).

Instead of the warning saying that it adds to known_hosts, the second test fails to establish a connection:

    NFO [main] (SFTPHelper.java:444) - Connecting to <host> port 22
 INFO [main] (SFTPHelper.java:444) - Connection established
 INFO [main] (SFTPHelper.java:444) - Remote version string: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
 INFO [main] (SFTPHelper.java:444) - Local version string: SSH-2.0-JSCH-0.1.54
 INFO [main] (SFTPHelper.java:444) - CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
 INFO [main] (SFTPHelper.java:444) - aes256-ctr is not available.
 INFO [main] (SFTPHelper.java:444) - aes192-ctr is not available.
 INFO [main] (SFTPHelper.java:444) - aes256-cbc is not available.
 INFO [main] (SFTPHelper.java:444) - aes192-cbc is not available.
 INFO [main] (SFTPHelper.java:444) - CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 INFO [main] (SFTPHelper.java:444) - CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
 INFO [main] (SFTPHelper.java:444) - SSH_MSG_KEXINIT sent
 INFO [main] (SFTPHelper.java:444) - SSH_MSG_KEXINIT received
 INFO [main] (SFTPHelper.java:444) - kex: server: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
 INFO [main] (SFTPHelper.java:444) - kex: server: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
 INFO [main] (SFTPHelper.java:444) - kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
 INFO [main] (SFTPHelper.java:444) - kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
 INFO [main] (SFTPHelper.java:444) - kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
 INFO [main] (SFTPHelper.java:444) - kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
 INFO [main] (SFTPHelper.java:444) - kex: server: none,zlib@openssh.com
 INFO [main] (SFTPHelper.java:444) - kex: server: none,zlib@openssh.com
 INFO [main] (SFTPHelper.java:444) - kex: server:
 INFO [main] (SFTPHelper.java:444) - kex: server:
 INFO [main] (SFTPHelper.java:444) - kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
 INFO [main] (SFTPHelper.java:444) - kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
 INFO [main] (SFTPHelper.java:444) - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
 INFO [main] (SFTPHelper.java:444) - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc
 INFO [main] (SFTPHelper.java:444) - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
 INFO [main] (SFTPHelper.java:444) - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
 INFO [main] (SFTPHelper.java:444) - kex: client: none
 INFO [main] (SFTPHelper.java:444) - kex: client: none
 INFO [main] (SFTPHelper.java:444) - kex: client:
 INFO [main] (SFTPHelper.java:444) - kex: client:
 INFO [main] (SFTPHelper.java:444) - kex: server->client aes128-ctr hmac-sha1 none
 INFO [main] (SFTPHelper.java:444) - kex: client->server aes128-ctr hmac-sha1 none
 INFO [main] (SFTPHelper.java:444) - SSH_MSG_KEX_ECDH_INIT sent
 INFO [main] (SFTPHelper.java:444) - expecting SSH_MSG_KEX_ECDH_REPLY
 INFO [main] (SFTPHelper.java:444) - ssh_rsa_verify: signature true
 INFO [main] (SFTPHelper.java:444) - Disconnecting from <host> port 22
ERROR [main] (SFTPHelper.java:109) - Cannot connect to <host>:22

Thanks very much for the help!

EDIT

I have identified that one test passes because it turned off "StrictHostKeyChecking" which is obviously a no-no. Why does it fail when I set this to true :/

tenticon
  • 2,639
  • 4
  • 32
  • 76
  • *"have two different unit test classes"* - You forgot to tell us, how the tests differ! - We need [mcve]. – Martin Prikryl Aug 15 '17 at 12:53
  • They are doing exactly the same! I just debugged the second test and `Session.connect()` fails at `checkHost(host, port, kex);` (line 345) – tenticon Aug 15 '17 at 12:56
  • Specifically when it evaluates `String hkh=getConfig("HashKnownHosts");` and `i=hkr.check(chost, K_S);`, the variable `i=1` means #NOT_INCLUDED, where chost is the host from above and `K_S=kex.getHostKey();` (`kex` is a `KeyExchange` instance) – tenticon Aug 15 '17 at 12:58
  • Let me see what I get for the other test at that point – tenticon Aug 15 '17 at 13:00
  • When debugging this, note that host key has nothing to do with private key that you use for authentication. See [Understanding SSH Key Pairs](https://winscp.net/eng/docs/ssh_keys). – Martin Prikryl Aug 15 '17 at 13:04

0 Answers0