问题:
如何解决JSch公钥验证失败而其他实用程序使用相同密钥成功的错误?
施弘壮
我一直在使用Java JSch库连接到SFTP站点以下载文件。直到最近,这一方法一直非常完美。现在一个SFTP站点无法通过公钥身份验证;使用命令行sftp(solaris)和FileZilla(Windows)可以使用相同的密钥连接到故障站点。我想我一定有什么配置错误,我想知道是否有人可以提供任何解决这个问题的方法。非常感谢任何帮助。
import java.util.Properties;
import com.jcraft.jsch.JSch;
import com.jcraft.jsch.JSchException;
import com.jcraft.jsch.Session;
public class Test {
static {
JSch.setLogger(new TestLogger());
}
public static void main(String [] args) throws JSchException {
Test test = new Test();
final String identityFile = "w:/path/to/my/id_rsa";
// Known-good SFTP site
//test.connect("test.known-good.site", "username", 22, identityFile);
// Failing SFTP site
test.connect("test.failing.site", "differentUsername", 6039, identityFile);
}
public void connect(String host, String user, int port, String identityFile) throws JSchException {
JSch jsch = new JSch();
jsch.addIdentity(identityFile);
Session session = jsch.getSession(user, host, port);
Properties config = new Properties();
config.put("StrictHostKeyChecking", "no");
session.setConfig(config);
try {
session.connect();
} finally {
session.disconnect();
}
}
public static class TestLogger implements com.jcraft.jsch.Logger {
static java.util.Hashtable<Integer, String> name=new java.util.Hashtable<>();
static{
name.put(new Integer(DEBUG), "DEBUG: ");
name.put(new Integer(INFO), "INFO: ");
name.put(new Integer(WARN), "WARN: ");
name.put(new Integer(ERROR), "ERROR: ");
name.put(new Integer(FATAL), "FATAL: ");
}
public boolean isEnabled(int level){
return true;
}
public void log(int level, String message){
System.err.print(name.get(new Integer(level)));
System.err.println(message);
}
}
}
INFO: Connecting to test.failing.site port 6039
INFO: Connection established
INFO: Remote version string: SSH-2.0-Maverick_SSHD
INFO: Local version string: SSH-2.0-JSCH-0.1.54
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
INFO: kex: server: ssh-rsa
INFO: kex: server: aes256-cbc,aes192-cbc
INFO: kex: server: aes256-cbc,aes192-cbc
INFO: kex: server: hmac-sha1,hmac-sha1-96
INFO: kex: server: hmac-sha1,hmac-sha1-96
INFO: kex: server: none
INFO: kex: server: none
INFO: kex: server:
INFO: kex: server:
INFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client:
INFO: kex: client:
INFO: kex: server->client aes192-cbc hmac-sha1 none
INFO: kex: client->server aes192-cbc hmac-sha1 none
INFO: SSH_MSG_KEX_DH_GEX_REQUEST(1024<2048<2048) sent
INFO: expecting SSH_MSG_KEX_DH_GEX_GROUP
INFO: SSH_MSG_KEX_DH_GEX_INIT sent
INFO: expecting SSH_MSG_KEX_DH_GEX_REPLY
INFO: ssh_rsa_verify: signature true
WARN: Permanently added 'test.failing.site' (RSA) to the list of known hosts.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
INFO: Authentications that can continue: keyboard-interactive,password
INFO: Next authentication method: keyboard-interactive
INFO: Authentications that can continue: password
INFO: Next authentication method: password
INFO: Disconnecting from test.failing.site port 6039
Exception in thread "main" com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:519)
at com.jcraft.jsch.Session.connect(Session.java:183)
at jsch_test.Test.connect(Test.java:38)
at jsch_test.Test.main(Test.java:23)
sftp -v -oPort=6039 -oIdentityFile=./id_rsa testuser@test.failing.site
Connecting to test.failing.site...
Sun_SSH_1.1.8, SSH protocols 1.5/2.0, OpenSSL 0x100020bf
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to test.failing.site [xxx.xxx.xxx.xxx] port 6039.
debug1: Connection established.
debug1: identity file p2idrsa type -1
debug1: Logging to host: test.failing.site
debug1: Local user: timrthy Remote user: testuser
debug1: Remote protocol version 2.0, remote software version Maverick_SSHD
debug1: no match: Maverick_SSHD
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1.8
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: ssh_gssapi_init_ctx(8a218, test.failing.site, 0, 0, ffbff13c)
debug1: GSS-API error while calling GSS_Init_sec_context(): Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
debug1: Skipping GSS-API mechanism kerberos_v5 (Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes192-cbc hmac-sha1 none
debug1: kex: client->server aes192-cbc hmac-sha1 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 204/384
debug1: bits set: 1031/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'test.failing.site' is known and matches the RSA host key.
debug1: Found key in /export/home/timrthy/.ssh/known_hosts:61
debug1: bits set: 1009/2048
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: password,publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: p2idrsa
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey)
debug1: fd 7 setting O_NONBLOCK
debug1: SSH receive window size: 198720 B
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: Sending subsystem: sftp
debug1: channel request 0: subsystem
debug1: channel 0: open confirm rwindow 0 rmax 34000
sftp>
来自我网络上每台机器的外部连接看起来都来自同一个IP,但我继续验证了来自我的机器的命令行sftp是否起作用,而使用Java+JSch则不起作用。命令行sftp到其他站点(目前有4个不同的站点)和Java+JSch确实有效,所以我的想法已经用完了。
谢谢你的协助。
共有1个答案
轩辕涵亮
我不确定这个答案对任何人有多大帮助。原来是远程服务器端出了问题。服务器端的技术人员告诉我问题已经解决;他们没有指出他们必须作出什么改变才能解决这一问题。从我的观点来看,JSch日志记录看起来是一样的,只是公钥身份验证是成功的。
非常感谢你们所有看过这个的人。
类似资料:
-
我想知道如何使用公钥来验证私钥。 “<代码> <模数> 这是一个字符串,我试图使用Python验证它的私钥(也是作为字符串提供的)。我知道发行人和观众需要做什么,但我不确定如何处理所有这些信息。 我看了一些peoples使用各种包的例子,但我似乎不知道pub_key、private_key和message是什么类型...请帮帮我...我希望学习
-
通常情况下,访问远程服务器上的 Git 仓库要受到限制。你可能不希望任何人都能读取文件,或者至少不能改动文件吧。在这种情况下,进行有效的认证就是非常必要地。 你可能已经通过你所使用的浏览器了解了 “HTTPS” 协议,尽管它使用起来很简单,但是很多系统管理员还是会出于各种原因去选择使用更为普遍的 “SSH” 协议。在这种协议之下,当涉及到身份验证时,你就很可能需要 “SSH公钥”。 对于这种类型的
-
问题内容: 我的 詹金斯(Jenkins) 有问题,设置为“ git”,显示以下错误: 我已经用 ssh 测试过: 这是错误的: 我还使用“ SSH密钥”完成了这些步骤。 在詹金斯下登录 将您的github密钥复制到Jenkins .ssh文件夹 重命名键 但仍然无法在 jenkins中使用* git 仓库。 * 感谢帮助!。 问题答案: 更改为用户并手动运行命令: 首次通过SSH连接到新主机时,
-
我对jenkins有一个问题,设置“Git”,显示以下错误: 我已经用ssh进行了测试: 这是错误: 谢谢你的帮助!。
-
在许多网站和教科书中,他们说公钥总是用来加密,私钥是用来解密的。在RSA算法中,这是真的。但在数字签名中,发送者使用他的私钥对文档签名(我相信这有点类似于加密,如果这是错误的,请纠正我),接收者使用文档中包含的公钥对文档进行解密(验证)。那么,根据我们的应用,这可以概括为公/私钥既可以用于加密,也可以用于解密吗?还是这里涉及了其他的概念?
-
我找到了几个可以使用的解决方案。Net RSA Provider使用公钥对消息进行加密,并使用私钥对其解密。 但我想要的是用私钥加密,用公钥解密。 我希望在我的应用程序中存储公钥,并使用私钥加密许可证,例如在我的开发人员计算机上,将其发送到应用程序,并让信息使用公钥解密。 我怎样才能做到这一点?