-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication with public key fails with 0.1.62 #47
Comments
Hi Avner, The reason is, that configured algorithms is changed in 0.1.62 for security reasons. They are aligned with recent openssh versions. So you might have to change the config like I will update the readme soon, since it is important to understand this change when using this library as a replacement of Jsch. Kind regards |
Hi @mwiede |
Hi Avner & Itay, A few questions:
Thanks, |
Also, if you can run the following nmap command against the server in question, it can help provide details as to what SSH version it is and what crypto algorithms it supports:
|
Thanks, |
Hi Itay,
Thanks, |
Hi Itay, Can you confirm if 0.1.62 works if you add this statement before you initiate any sessions?
Thanks, |
Hi @norrisjeremy But in jsch 1.62 the values are: I understand that you changed the order of the values for better security but it cause performance issues when trying to connect. Maybe it's worth to add them as optional not the first because it takes 3-10 seconds to check if kex is correct or bot for this version, |
Hi @norrisjeremy |
HI Itay, The discussion in #45 provides more details as the default values of PubkeyAcceptedKeyTypes. Thanks, |
Hi Itay, With regards to your comment above that you are seeing it take 3-10 seconds to check if the kex is correct: I don't see that behavior locally. Can you provide more details with regards to the environment in which you see this behavior (operating system, Java version, etc.)? Thanks, |
Hi @norrisjeremy @avnerw74 |
Hi Itay, See the comment: The server you are connecting with most likely enforces a MaxAuthTries setting of 2 or less: "My suspicion as to what is happening is that the OpenSSH 5.3 server you are attempting to connect with has MaxAuthTries configured to a small value (2 or less). Combined with the fact that the default PubkeyAcceptedKeyTypes attempts to use the RSA SHA-2 signature types (rsa-sha2-256 & rsa-sha2-512) before the legacy RSA SHA-1 signature type (ssh-rsa), this causes authentication to fail. This is due to the fact that the client signature type is not actually negotiated in the SSH protocol: the client simply has to brute force attempt each one in succession until it succeeds, or the server rejects the connection for Too many authentication failures. And since RSA SHA-2 signature types weren't introduced until OpenSSH 7.2, JSch is attempting to use first rsa-sha2-512 (which fails), then rsa-sha2-256 (which fails), and before it can try ssh-rsa (which would succeed), the server terminates the session because of it's MaxAuthTries setting." By putting ssh-rsa at the start of the PubkeyAcceptedKeyTypes setting in JSch, this causes it to attempt to use it it before rsa-sha2-512 and rsa-sha2-256 (which I suspect the server you are connecting to does not support). Thanks, |
Hi @ihudedi, Did you have an opportunity to review the last comment I left? Thanks, |
I was having problems trying to connect to azure ( Remote version string: SSH-2.0-AzureSSH_1.0.0). I solved rearranging the "PubkeyAcceptedKeyTypes" putting first the rsa-sha2-256. |
Hi,
We were using 0.1.55 to connect to a server using public key auth without a problem.
After we upgraded to 0.1.62, public key authentication fails with "Auth Fail".
If we use the UserAuthPublicKey class from 0.1.55, we are able to login again.
Is this a known bug?
Thanks,
Avner
The text was updated successfully, but these errors were encountered: