1

When trying to do passwordless SSH from JSch, I am getting below error. Using private key and passphrase to establish connection but getting Auth Cancel exception.

Tried without using passphrase, still getting the same exception

 com.jcraft.jsch.JSchException: Auth cancel
 at com.jcraft.jsch.Session.connect(Session.java:518)
 at com.jcraft.jsch.Session.connect(Session.java:183)

The code for the connection is:

JSch jschConnector = new JSch();
jschConnector.addIdentity("path_to_private_key","12345");
jschConnector.setKnownHosts("path_TO_KNOWN_HOST");              

Session session = jschConnector.getSession(user, host, port);
session.setTimeout(timeout);
java.util.Properties config = new java.util.Properties();
config.put("StrictHostKeyChecking", "no");
config.put("PreferredAuthentications", "publickey,keyboard-interactive,password");
session.setConfig(config);
session.connect();
log.info(" Session created successfully");

JSch log:

INFO: Connecting to dedwfprsapp01.de.neustar.com port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-OpenSSH_5.3
INFO: Local version string: SSH-2.0-JSCH-0.1.54
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: ecdh-sha2-nistp256 is not available.
INFO: ecdh-sha2-nistp384 is not available.
INFO: ecdh-sha2-nistp521 is not available.
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: ecdsa-sha2-nistp256 is not available.
INFO: ecdsa-sha2-nistp384 is not available.
INFO: ecdsa-sha2-nistp521 is not available.
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
INFO: kex: server: ssh-rsa,ssh-dss
INFO: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
INFO: kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
INFO: kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
INFO: kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
INFO: kex: server: none,zlib@openssh.com
INFO: kex: server: none,zlib@openssh.com
INFO: kex: server:
INFO: kex: server:
INFO: kex: client: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client:
INFO: kex: client:
INFO: kex: server->client aes128-ctr hmac-md5 none
INFO: kex: client->server aes128-ctr hmac-md5 none
INFO: SSH_MSG_KEXDH_INIT sent
INFO: expecting SSH_MSG_KEXDH_REPLY
INFO: ssh_rsa_verify: signature true
INFO: Host 'dedwfprsapp01.de.neustar.com' is known and matches the RSA host key
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: keyboard-interactive,password
INFO: Next authentication method: keyboard-interactive
INFO: Disconnecting from dedwfprsapp01.de.neustar.com port 22
JSCH Exceptioncom.jcraft.jsch.JSchException: Auth cancel

Logs for SSH xyz.com -v:

Warning: Identity file .ssh/jenkins not accessible: No such file or directory.
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to dedwdprsrmc001 [10.57.19.176] port 22.
debug1: Connection established.
debug1: identity file /home/dnasssd/.ssh/identity type -1
debug1: identity file /home/dnasssd/.ssh/identity-cert type -1
debug1: identity file /home/dnasssd/.ssh/id_rsa type 1
debug1: identity file /home/dnasssd/.ssh/id_rsa-cert type -1
debug1: identity file /home/dnasssd/.ssh/id_dsa type -1
debug1: identity file /home/dnasssd/.ssh/id_dsa-cert type -1
debug1: identity file /home/dnasssd/.ssh/id_ecdsa type -1
debug1: identity file /home/dnasssd/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'dedwdprsrmc001' is known and matches the RSA host key.
debug1: Found key in /home/dnasssd/.ssh/known_hosts:7
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server krbtgt/NEUSTAR@KRBPROD.NEUSTAR.COM not found in Kerberos database

debug1: Trying to start again
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/dnasssd/.ssh/identity
debug1: Offering public key: /home/dnasssd/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/dnasssd/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Wed May  2 14:56:44 2018 from dedwfprsapp01.de.neustar.com
Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
madeeha
  • 156
  • 3
  • 11
  • You cannot remove evidence from your question. If you want to hide some sensitive information, edit the specific lines (though anyone can see it in the question history anyway). But you cannot remove whole log based on which the answer to your problem was provided! – Martin Prikryl Sep 21 '22 at 12:09

2 Answers2

2

INFO: Authentications that can continue: keyboard-interactive,password

Your server does not support public key authentication at all (or does not allow it for your account).

The root cause is that you are connecting to a wrong host. In JSch, you are connecting to dedwfprsapp01[.de.neustar.com]. With ssh you are connecting to dedwdprsrmc001.

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
-1

For some reason, jsch use a quite different authentication method.

TLDL; Create a rsa-sha2-512 key (using a PEM format).

ssh-keygen -t rsa-sha2-512 -m PEM -T '' -f ~/.ssh/id_rsa-sha2-512

In cases where you cantt easily change key type:

  1. recreate a rsa key (using a PEM format).

    ssh-keygen -t rsa -m PEM -T '' -f ~/.ssh/id_rsa

  2. configure ssh server to accept this method.

    sudo bash -c "echo 'PubkeyAcceptedAlgorithms +ssh-rsa' > /etc/ssh/sshd_config.d/ssh-rsa.conf"

  3. Restart sshd server.

    sudo systemctl restart sshd

  4. now, it works!

PS: JSCH supported types are: ssh-rsa, ssh-dss, ecdca-sha2-nistp256, ecdca-sha2-nistp384, ecdca-sha2-nistp521

https://unix.stackexchange.com/questions/721606/ssh-server-gives-userauth-pubkey-key-type-ssh-rsa-not-in-pubkeyacceptedalgorit

carlos.romel
  • 44
  • 3
  • Where's nothing like "rsa-sha2-512" key – [How to generate rsa-sha2-256 keys using ssh-keygen utility?](https://superuser.com/q/1769277/213663) – You are mixing key types and signatures. Were you really getting the *"Auth cancel"* error? In your case you should be getting *"Auth fail"* – [JSchException: Auth fail on Ubuntu 22.04](https://stackoverflow.com/q/73135640/850848). – Martin Prikryl Mar 03 '23 at 06:53