0

I have code that transfers a file via sftp using JSch. This code works in one of our test environments but doesn't work in another environment. The environment where it doesn't work has FIPS mode enabled but I'm unsure whether or not that is contributing to the problem. In both environments, I'm able to sftp from the command line using the private key that the code is using.

There's some relevant output from JSch and from ssh but I'm not sure what else I can do at this point to move forward. SSH keys and known hosts files both seem to be set up properly.

Here's the output from my app (with IP and RSA key changed):

MESSAGE="path to private key: '~/.ssh/id_rsa_xxx'"
MESSAGE="Connecting to 111.11.11.11 port 22"
MESSAGE="Connection established"
MESSAGE="Remote version string: SSH-2.0-OpenSSH_5.3"
MESSAGE="Local version string: SSH-2.0-JSCH-0.1.54"
MESSAGE="CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256"
MESSAGE="CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521"
MESSAGE="CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"
MESSAGE="SSH_MSG_KEXINIT sent"
MESSAGE="SSH_MSG_KEXINIT received"
MESSAGE="kex: server: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
MESSAGE="kex: server: ssh-rsa,ssh-dss"
MESSAGE="kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
MESSAGE="kex: server: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
MESSAGE="kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96"
MESSAGE="kex: server: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96"
MESSAGE="kex: server: none,zlib@openssh.com"
MESSAGE="kex: server: none,zlib@openssh.com"
MESSAGE="kex: server: "
MESSAGE="kex: server: "
MESSAGE="kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"
MESSAGE="kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"
MESSAGE="kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc"
MESSAGE="kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc"
MESSAGE="kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96"
MESSAGE="kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96"
MESSAGE="kex: client: none"
MESSAGE="kex: client: none"
MESSAGE="kex: client: "
MESSAGE="kex: client: "
MESSAGE="kex: server->client aes128-ctr hmac-md5 none"
MESSAGE="kex: client->server aes128-ctr hmac-md5 none"
MESSAGE="SSH_MSG_KEXDH_INIT sent"
MESSAGE="expecting SSH_MSG_KEXDH_REPLY"
MESSAGE="ssh_rsa_verify: signature true"
MESSAGE="Disconnecting from 111.11.11.11 port 22"

Exception:  JSchException
Message:    UnknownHostKey: 111.11.11.11. RSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
In Class:   com.jcraft.jsch.Session
In Method:  checkHost() : Session.java : 805

com.jcraft.jsch.JSchException: UnknownHostKey: 111.11.11.11. RSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
    at com.jcraft.jsch.Session.checkHost(Session.java:805)
    at com.jcraft.jsch.Session.connect(Session.java:345)
    at com.jcraft.jsch.Session.connect(Session.java:183)
    ...
    at java.lang.Thread.run(Thread.java:748)

Here's a copy of the very verbose output of an ssh session from/to the same VM:

$ ssh -vv -i ~/.ssh/id_rsa_transfer transfer@mail
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /xxx/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
FIPS mode initialized
debug2: ssh_connect: needpriv 0
debug1: Connecting to mail [111.11.11.11] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /xxx/.ssh/id_rsa_xxx type -1
debug1: identity file /xxx/.ssh/id_rsa_xxx-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha2-256,hmac-sha2-512
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha2-256,hmac-sha2-512
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 157/320
debug2: bits set: 1061/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'mail' is known and matches the RSA host key.
debug1: Found key in /xxx/.ssh/known_hosts:4
debug2: bits set: 1013/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /xxx/.ssh/id_rsa_xxx ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /xxx/.ssh/id_rsa_xxx
debug1: read PEM private key done: type RSA
debug2: we sent a publickey packet, wait for reply
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Thu Apr  9 13:46:27 2020 from 111.11.11.11
Chris Williams
  • 11,647
  • 15
  • 60
  • 97
  • See [How to resolve Java UnknownHostKey, while using JSch SFTP library?](https://stackoverflow.com/q/32852906/850848) – Martin Prikryl Apr 10 '20 at 06:28
  • @MartinPrikryl - Thanks for the link. I saw that post and am already setting my known hosts file before attempting to connect: `jsch.setKnownHosts(knownHostsFileLocation);`. This is the same known_hosts file that is used by ssh/sftp on the command line. – Chris Williams Apr 10 '20 at 12:28
  • We need [mcve]. – Martin Prikryl Apr 10 '20 at 13:17

1 Answers1

0

Turns out our DevOps team accidentally overrode the location of the known hosts property we were using. JSch doesn't check that the path I give for the known hosts file (and I'm assuming the private key) are valid. I'm leaving this question in case someone else ever has this issue.

Chris Williams
  • 11,647
  • 15
  • 60
  • 97