I'm using JGit to access a remote Git repo, and I need to use SSH for it. JGit uses JSch to provide secure access. However, I'm not sure how to set the key file and the knows hosts file for JGit. What I have tried is as follows.
Created a custom configuration of the SshSessionFactory, using by subclassing JSchConfigSessionFactory:
public class CustomJschConfigSessionFactory extends JschConfigSessionFactory {
#Override
protected void configure(OpenSshConfig.Host host, Session session) {
session.setConfig("StrictHostKeyChecking", "yes");
}
}
In the class which I access the remote Git repo, did the following:
CustomJschConfigSessionFactory jschConfigSessionFactory = new CustomJschConfigSessionFactory();
JSch jsch = new JSch();
try {
jsch.addIdentity(".ssh/id_rsa");
jsch.setKnownHosts(".ssh/known_hosts");
} catch (JSchException e) {
e.printStackTrace();
}
SshSessionFactory.setInstance(jschConfigSessionFactory);
I can't figure out how to associate this JSch object with JGit so that it can successfully connect to the remote repository. When I try to clone it with JGit, I get the following exception:
org.eclipse.jgit.api.errors.TransportException: git#git.test.com:abc.org/test_repo.git: reject HostKey: git.test.com
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:137)
at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:178)
at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:125)
at GitTest.cloneRepo(GitTest.java:109)
at GitTest.main(GitTest.java:223)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: org.eclipse.jgit.errors.TransportException: git#git.test.com:abc.org/test_repo.git: reject HostKey: git.test.com
at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:142)
at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:121)
at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:248)
at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:147)
at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:136)
at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:122)
at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1104)
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:128)
... 9 more
Caused by: com.jcraft.jsch.JSchException: reject HostKey: git.test.com
at com.jcraft.jsch.Session.checkHost(Session.java:748)
at com.jcraft.jsch.Session.connect(Session.java:321)
at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:116)
... 16 more
I have added the git.test.com entry to my /etc/hosts file. I have used the same code to access a git repo with a http url, so the code it working fine. It's the key handling part that is failing. Any idea on how to handle this?
You need to override the getJSch method in your custom factory class:
class CustomConfigSessionFactory extends JschConfigSessionFactory
{
#Override
protected JSch getJSch(final OpenSshConfig.Host hc, FS fs) throws JSchException {
JSch jsch = super.getJSch(hc, fs);
jsch.removeAllIdentity();
jsch.addIdentity( "/path/to/private/key" );
return jsch;
}
}
Calling jsch.removeAllIdentity is important; it doesn't seem to work without it.
A caveat: I wrote the above in Scala, and then translated it over to Java, so it might not be quite right. The original Scala is as follows:
class CustomConfigSessionFactory extends JschConfigSessionFactory
{
override protected def getJSch( hc : OpenSshConfig.Host, fs : FS ) : JSch =
{
val jsch = super.getJSch(hc, fs)
jsch.removeAllIdentity()
jsch.addIdentity( "/path/to/private/key" )
jsch
}
}
Jsch sesems to not like a known_hosts file in the hashed format-- it must conform to the format produced by:
ssh-keyscan -t rsa hostname >> ~/.ssh/known_hosts
e.g.
<hostname> ssh-rsa <longstring/longstring>
not:
|1|<hashed hostname>= ecdsa-sha2-nistp256 <hashed fingerprint>=
Managed to find the issue. The public key in the server side had a different name other than the usual id_rsa.pub, while the private key on my side was id_rsa. JSch expects by default the public key to have the same name as the private key plus the .pub suffix. Using a key pair with a common name (ex.: private = key_1 and public = key_1.pub) solves the issue.
Related
In an Android app, I am attempting to connect to an SSH server using the JSch library. The remote server is specified by the user, so I don't know the remote fingerprint in advance. At the same time I don't want to set StrictHostKeyChecking to no as I see in so many examples.
I'd like to get the remote server fingerprint, show it to the user for acceptance. Is this possible either with JSch or regular Java, perhaps with sockets?
Here's an example you can try, just paste it in the onCreate of an Android activity:
new Thread(new Runnable() {
#Override
public void run() {
com.jcraft.jsch.Session session;
JSch jsch;
try {
jsch = new JSch();
jsch.setLogger(new MyLogger());
session = jsch.getSession("git", "github.com", 22);
session.setPassword("hunter2");
Properties prop = new Properties();
prop.put("StrictHostKeyChecking", "yes");
session.setConfig(prop);
//**Get a host key and show it to the user**
session.connect(); // reject HostKey: github.com
}
catch (Exception e){
LOG.error("Could not JSCH", e);
}
}
}).start();
OK I've found a way to do this. It may not be the best way but it is a way. Using the UserInfo.promptYesNo required looping at the expense of CPU while waiting for user response or with the overhead of an Executor/FutureTask/BlockingQueue. Instead the async thread which executes the connection (since network tasks cannot occur on UI thread) is more conducive to doing this twice - once to 'break' and get the user to accept, second to succeed. I guess this is the 'Android way'. For this, the hostkey needs storing somewhere. Suppose I store it in Android's PreferenceManager, then to start with grab the key from there, defaulting to empty if not available
String keystring = PreferenceManager.getDefaultSharedPreferences(getApplicationContext()).getString("target_hostkey","");
if(!Strings.isNullOrEmpty(keystring)){
byte[] key = Base64.decode ( keystring, Base64.DEFAULT );
jsch.getHostKeyRepository().add(new HostKey("github.com", key ), null);
}
Next, proceed as usual to connect to the server
session = jsch.getSession("git", "github.com", 22);
session.setPassword("hunter2");
Properties prop = new Properties();
prop.put("StrictHostKeyChecking", "yes");
session.setConfig(prop);
session.connect();
But this time, catch the JSchException. In there, the session has a HostKey available.
catch(final JSchException jex){
LOG.debug(session.getHostKey().getKey());
final com.jcraft.jsch.Session finalSession = session;
runOnUiThread(new Runnable() {
#Override
public void run() {
new MaterialDialog.Builder(MyActivity.this)
.title("Accept this host with fingerprint?")
.negativeText(R.string.cancel)
.positiveText(R.string.ok)
.content(finalSession.getHostKey().getFingerPrint(jsch))
.onPositive(new MaterialDialog.SingleButtonCallback() {
#Override
public void onClick(#NonNull MaterialDialog dialog, #NonNull DialogAction which) {
PreferenceManager.getDefaultSharedPreferences(getApplicationContext()).edit().putString("target_hostkey", finalSession.getHostKey().getKey()).apply();
}
}).show();
}
});
}
After this, it's a matter of re-invoking the Thread or AsyncTask but this time the hostkey is added to the hostkey repository for JSch.
Two possibilities:
When StrictHostKeyChecking is set to ask, JSch calls UserInfo.promptYesNo with a confirmation prompt. Implement the UserInfo interface to display the confirmation to the user. Disadvantage is that you cannot customize the message in any way (of course, unless you try to parse it, relying on a hard-coded template).
The message is like:
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the -key_type- host key has just been changed.
The fingerprint for the -key_type- key sent by the remote host is
-key_fprint-
Please contact your system administrator.
Add correct host key in -file- to get rid of this message.
For an example implementation, see the official JSch KnownHosts.java example.
Even before the above, JSch calls HostKeyRepository.check, passing it hostname and the key.
You can implement that interface/method, to do any prompt you like.
Check Session.checkHost implementation.
Generated RSA public key using ssh-keygen.
Trying to use to connect remote server through sftp :
JSch jsch = new JSch();
try {
String publicKey = "/home/testuser/.ssh/id_rsa.pub";
jsch.addIdentity(publicKey);
session = jsch.getSession(sftpUsername, sftpHostname, sftpPort);
session.setConfig("PreferredAuthentications", "publickey,keyboard-interactive,password");
} catch (JSchException e) {
logger.error("Unable to obtain session", e);
}
getting below error :
com.jcraft.jsch.JSchException: invalid privatekey: /home/testuser/.ssh/id_rsa.pub
at com.jcraft.jsch.IdentityFile.<init>(IdentityFile.java:261)
at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:135)
at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:130)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:206)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:192)
Any suggestions ?
You have:
jsch.addIdentity(publicKey);
JSch javadoc says:
public void addIdentity(String prvkey)
throws JSchException;
Adds an identity to be used for public-key authentication. Before registering it into identityRepository, it will be deciphered with passphrase.
Parameters:
prvkey - the file name of the private key file. This is also used as the identifying name of the key. The corresponding public key is assumed to be in a file with the same name with suffix .pub.
You have supplied the public key, when JSch wants the private key.
If you think about it, this makes sense. There's nothing secret about a public key. JSch wants a secret, so it can prove who you are.
Your private key is probably in ~/.ssh/id_rsa (without the .pub extension).
You may need to use the two-parameter version of addIdentity, in order to supply a passphrase to decrypt the private key.
I'm building this software for a school assignment. A server (regulator) controls interactions between shops (distributors) and clients. I have three entities:
Regulator. It binds two services: authentication (user control) and listing (lists distributors and their offers) to the registry.
Distributor. Deploys a user interface that allows registering and deleting offers and binds a service (ServiceSales) to the registry.
Client. Deploys a user interface and allows the user to ask the regulator which distributor has the offer they are interested in.
The regulator binds both the services fine, and the other entities interact ok with it. When I'm trying to bind ServiceSales I get an error as if the registry wasn't up.
This is the relevant code in the class Regulator:
Registry registry = LocateRegistry.getRegistry();
Utils.setCodeBase(ServiceSalesInterface.class);
ServiceSalesInterface sales = new ServiceSalesImpl(servicio);
ServicioVentaInterface sales_remote =
(ServiceSalesInterface) UnicastRemoteObject.exportObject(sales, 8888);
registry.rebind(sales.name(), sales_remote);
sales.name() returns service's name.
This is Utils source:
public class Utils {
public static final String CODEBASE = "java.rmi.server.codebase";
public static void setCodeBase(Class<?> c){
String path = c.getProtectionDomain().getCodeSource()
.getLocation().toString();
String cbase = System.getProperty(CODEBASE);
if (path != null && !path.isEmpty()){
path = path + " " + cbase;
}
System.setProperty(CODEBASE, path);
}
}
I've tried using different ports but it doesn't seem to be that what it is causing the error. This is the error message that pops when I'm trying to bind ServiceSales to the registry ( registry.rebind(sales.name(), sales_remote); ):
java.rmi.ConnectException: Connection refused to host: 127.0.1.1; nested exception is:
java.net.ConnectException: Connection refused
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:619)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:342)
at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
In case it is needed, this is the relevant code within the Regulator class (that works fine).
System.setProperty("java.rmi.server.hostname","127.0.0.1");
registry = LocateRegistry.createRegistry(8888);
Utils.setCodeBase(ServiceGoods.class);
ServiceGoodsInterface goods = new ServiceGoodsImpl();
ServiceGoodsInterface goods_remote =
(ServiceGoodsInterface)UnicastRemoteObject.exportObject(goods, 8888);
registry.rebind("ServiceGoods", goods_remote);
Utils.setCodeBase(ServiceAuth.class);
ServiceAuthInterface auth = new ServiceAuthImpl();
ServiceAuthInterface auth_remote =
(ServiceAuthInterface)UnicastRemoteObject.exportObject(auth, 8888);
registry.rebind("ServiceAuth", auth_remote);
System.out.println("Server is running.");
When I'm adding a reverse tunnel to a com.jcraft.jsch.Session object, the connection initialization fails with the following stacktrace:
com.jcraft.jsch.JSchException: java.lang.NullPointerException
at com.jcraft.jsch.Session._setPortForwardingR(Session.java:2165)
at com.jcraft.jsch.Session.setPortForwardingR(Session.java:1937)
at com.jcraft.jsch.Session.setPortForwardingR(Session.java:1883)
at com.project.client.handlers.SshClientHandler.<init>(SshClientHandler.java:41)
at com.project.client.pcConnection.init(SdConnection.java:30)
at Sdclient.main(Unknown Source)
Caused by: java.lang.NullPointerException
at com.jcraft.jsch.Packet.padding(Packet.java:58)
at com.jcraft.jsch.Session.encode(Session.java:892)
at com.jcraft.jsch.Session._write(Session.java:1362)
at com.jcraft.jsch.Session.write(Session.java:1357)
at com.jcraft.jsch.Session._setPortForwardingR(Session.java:2160)
... 5 more
The full code there is
private static JSch sshConn = null;
private Session sshSession;
public SshClientHandler(int _sshLocalSp, int _sshRemoteSp) {
JSch.setLogger(new JSCHLogger());
sshConn = new JSch();
try {
createTemporarySshFiles();
sshConn.setKnownHosts(GeneralMethods.getPreference(PcPreferencesEnum.SSH_KNOWN_HOSTS_FILE));
sshConn.addIdentity(GeneralMethods.getPreference(PcPreferencesEnum.SSHC_PRIVATE_KEY_FILE), GeneralMethods.getPreference(PcPreferencesEnum.SSHC_PUBLIC_KEY_FILE), "".getBytes());
sshSession = sshConn.getSession(GeneralMethods.getPropValue("pcclient.id"), "sshserver.project.com", 22);
java.util.Properties config = new java.util.Properties();
config.put("StrictHostKeyChecking", "no");
sshSession.setConfig(config);
sshSession.setTimeout(15000);
sshSession.setPassword("");
//sshSession.setPortForwardingR("50000:localhost:22");
sshSession.setPortForwardingR(50000, "127.0.0.1", 22);
sshSession.connect();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
The connection estabishes successfully w/ publickey authentication when I remove the line
sshSession.setPortForwardingR(50000, "127.0.0.1", 22);
The SSH user has the right to connect to the local port 50000 on the remote machine. Here is a snippet from it's authorized_keys
no-pty,permitopen="localhost:50000",command="/bin/echo not-allowed-to-do-this",no-X11-forwarding ssh-rsa AAAA[...]
I switched arguments for setPortForwardingR back and forth, as - for example - some documents I found online use the remote machine as second argument, some use localhost, but with no success.
Watching auth.log on the remote server indicates that the connection is not even initiated. The NullPointerException gets thrown on the actual line of the setPortForwardingR call. I ensured that my local SSH server is running on the local port 22, and I can connect manually to it. I tried different ports (to my local MySQL server, e.g.), but it always fails with the same stacktrace.
I'm using jsch-0.1.52.jar.
You have to call the .setPortForwardingR() only after the .connect().
See for example:
http://www.jcraft.com/jsch/examples/Daemon.java.html
I am getting an exception while using SSHJ.
Here is how I implemented it:
public static void main(String[] args) throws IOException {
// TODO Auto-generated method stub
final SSHClient ssh = new SSHClient();
ssh.loadKnownHosts();
ssh.connect("serverName");
try{
ssh.authPublickey("myUserId");
final Session session = ssh.startSession();
try{
final Command cmd = session.exec("net send myMachineName Hello!!!");
System.out.println(cmd.getOutputAsString());
System.out.println("\n Exit Status: "+cmd.getExitStatus());
}finally{
session.close();
}
}finally{
ssh.disconnect();
}
}
}
But I get the following exception:
Exception in thread "main" java.io.IOException: Could not load known_hosts
at net.schmizz.sshj.SSHClient.loadKnownHosts(SSHClient.java:528)
at SSHTEST.main(SSHTEST.java:25)
What am I doing wrong?
Use the folowing code
final SSHClient ssh = new SSHClient();
ssh.addHostKeyVerifier(
new HostKeyVerifier() {
public boolean verify(String arg0, int arg1, PublicKey arg2) {
return true; // don't bother verifying
}
}
);
ssh.connect("LocalHost");
Remove the call to loadKnownHosts() method, which as erickson mentioned checks under ~/.ssh/known_hosts by default (you can specify the location as an argument as well though), and replace it with:
ssh.addHostKeyVerifier("public-key-fingerprint");
To find out what the fingerprint is, the twisted way would be to connect without that statement - you'll find out from the exception ;-)
It sounds like it's trying to read a "known_hosts" file, but can't find it, or possibly it in an invalid format.
The SSH known hosts file records the public key for various hosts to thwart some spoofing attacks. Normally it resides in ~/.ssh/known_hosts. Try creating an empty file there and see if that satisfies the library.
The library documentation is likely to address the necessary configuration files.