0

I support a legacy web application, and one function is to use JSCH to SFTP an attachment to another server. Our server ops team recently added a new RSA key to the target server on top of the DSA key that's been there, and now we're receiving the com.jcraft.jsch.JSchException: Auth fail error message. Here's the code:

public final static void sftpFileToRemoteDirectory(
        String clientConnect, 
        int clientPort, 
        String clientLogin, 
        String encryptedPassword, 
        String path, 
        String remoteFile, 
        byte[] file) 
throws Exception
{
    JSch jsch = new JSch();         
    Session session = null; 
    
    ByteArrayInputStream baInputStream = null;
    
    try {             
        //using port 24
        
        session = jsch.getSession(clientLogin, clientConnect, clientPort);            
        session.setConfig("StrictHostKeyChecking", "no");       
        
        // Decrypt password string and set password
        String saPwd = new EncryptionHelper().decryptString(encryptedPassword);
        session.setPassword(saPwd);             
        
        session.connect();      
        Channel channel = session.openChannel("sftp");             
        channel.connect();             
        
        ChannelSftp sftpChannel = (ChannelSftp) channel;    
        sftpChannel = (ChannelSftp)channel;
        
        System.out.println("Changing to FTP remote dir: " +
                path);
        sftpChannel.cd(path); 
        
        //get ByteArrayInputStream for file
        byte b[] = file;
        baInputStream = new ByteArrayInputStream(b);
        
        //Put file on server
        System.out.println("Moving " + remoteFile + " to " + path);
        sftpChannel.put(baInputStream, remoteFile); 
                  
        sftpChannel.exit();             
        
    } finally {
        try {
            baInputStream.close();
            
            if (session != null) {
                session.disconnect();
            }
        } catch (Exception e) {
            // Don't throw exception caused by closing stream
            e.printStackTrace();
        }
    }
}

I found this post that seemed related. We double checked and made sure that the target server is in the list of known hosts. This includes just the server name, the FQDN, and the FQDN plus the port number, but no luck. Any changes I can make to the code?

The error message:

20:40:37,639 ERROR [stderr] (ajp--127.0.0.1-8009-20) Caused by: com.jcraft.jsch.JSchException: Auth fail

20:40:37,639 ERROR [stderr] (ajp--127.0.0.1-8009-20) at com.jcraft.jsch.Session.connect(Session.java:461)

20:40:37,639 ERROR [stderr] (ajp--127.0.0.1-8009-20) at com.jcraft.jsch.Session.connect(Session.java:154)

20:40:37,639 ERROR [stderr] (ajp--127.0.0.1-8009-20) at com.lmig.requestit.utils.RequestITFileManagementUtils.sftpFileToRemoteDirectory(RequestITFileManagementUtils.java:54)

20:40:37,639 ERROR [stderr] (ajp--127.0.0.1-8009-20) at com.lmig.requestit.modules.desktop.automation.Form2039Automation.automateOutlookPhotoMoveFileToPhoto(Form2039Automation.java:109)

20:40:37,640 ERROR [stderr] (ajp--127.0.0.1-8009-20) ... 27 more

Here are the logs from the JSCH:

13:41:10,184 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Connecting to "server" port 24

13:41:10,188 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Connection established

13:41:10,190 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Remote version string: SSH-2.0-1.07 FlowSsh: WinSSHD 5.20

13:41:10,190 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Local version string: SSH-2.0-JSCH-0.1.44

13:41:10,190 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256

13:41:10,231 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: aes256-ctr is not available.

13:41:10,231 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: aes192-ctr is not available.

13:41:10,232 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: aes256-cbc is not available.

13:41:10,232 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: aes192-cbc is not available.

13:41:10,232 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: arcfour256 is not available.

13:41:10,232 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: SSH_MSG_KEXINIT sent

13:41:10,233 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: SSH_MSG_KEXINIT received

13:41:10,235 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: kex: server->client aes128-ctr hmac-md5 none

13:41:10,235 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: kex: client->server aes128-ctr hmac-md5 none

13:41:10,261 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: SSH_MSG_KEXDH_INIT sent

13:41:10,262 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: expecting SSH_MSG_KEXDH_REPLY

13:41:10,285 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: ssh_rsa_verify: signature true

13:41:10,299 INFO [stdout] (ajp--127.0.0.1-8009-7) WARN: Permanently added 'server' (RSA) to the list of known hosts.

13:41:10,299 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: SSH_MSG_NEWKEYS sent

13:41:10,299 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: SSH_MSG_NEWKEYS received

13:41:10,312 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: SSH_MSG_SERVICE_REQUEST sent

13:41:10,312 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: SSH_MSG_SERVICE_ACCEPT received

13:41:10,314 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Authentications that can continue: gssapi-with-mic,publickey,keyboard-interactive,password

13:41:10,314 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Next authentication method: gssapi-with-mic

13:41:10,330 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Authentications that can continue: publickey,keyboard-interactive,password

13:41:10,330 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Next authentication method: publickey

13:41:10,333 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Authentications that can continue: password

13:41:10,333 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Next authentication method: password

13:41:13,345 INFO [stdout] (ajp--127.0.0.1-8009-7) INFO: Disconnecting from "server" port 24

Community
  • 1
  • 1
H. Miller
  • 41
  • 2
  • 5
  • You are using `StrictHostKeyChecking=no` (what is a security flaw, btw), so no change of server host key can cause you any trouble. Even if it did, you would never get to the authentication phase, so you would not get *"Auth fail"* error. Conclusion: your problem is completely different than what you think. Show us [JSch log file](https://stackoverflow.com/q/47411185/850848). – Martin Prikryl Dec 07 '17 at 14:17
  • Are you able to connect to that server via sftp or ssh directly? Have you tried to use any of those keys to connect instead of using password? – Ivan Dec 07 '17 at 14:42
  • Yes, I'm able to connect to the server using SSH. Would using the keys involve using jsch.addIdentity(privateKey) where the private key is the key on the source server? I'm working on adding the logging to get more detail about Jsch. – H. Miller Dec 08 '17 at 11:59
  • Yes, to use private key you need to use jsch.addIdentity() – Ivan Dec 09 '17 at 02:38
  • I've added the logs from jsch. If I understand that correctly, it seems to not be using any of the authentication methods, including password. Should I be using the jsch.setUserInfo? – H. Miller Dec 11 '17 at 19:10
  • Show us output of `ssh -v user@host`. Did you check server-side log file? You also urgently need to upgrade JSch library. – Martin Prikryl Dec 11 '17 at 20:41

0 Answers0