Public key authentication fails with JSch but work with OpenSSH with the same key
Asked Answered
W

2

8

I'm trying to establish an SSH connection using Kotlin + JSch, but it fails with

com.jcraft.jsch.jSchException: Auth fail

Steps taken:

  1. Generate SSH key pair using ssh-keygen -t rsa -m PEM (OpenSSH version: OpenSSH_8.2p1)
  2. Append contents of generated id_rsa.pub to /home/username/.ssh/authorized_keys file on the server
  3. Test connection in the terminal: ssh -i /path/to/id_rsa [email protected] – works fine
  4. Execute the following Kotlin code:
import com.jcraft.jsch.JSch

const val USER = "username"
const val HOST = "example.host.com"
const val IDENTITY = "/path/to/id_rsa"


fun main() {
    val jsch = JSch().apply {
        addIdentity(IDENTITY)
        setKnownHosts("/path/to/known_hosts")
    }

    jsch.getSession(USER, HOST)
        .connect()
}

...which fails with an exception:

Exception in thread "main" com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:519)
    at com.jcraft.jsch.Session.connect(Session.java:183)
    at MainKt.main(Main.kt:18)
    at MainKt.main(Main.kt)

What can be the problem here?

JSch log output:

INFO: Connecting to example.host.com port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3
INFO: Local version string: SSH-2.0-JSCH-0.1.54
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
INFO: kex: server: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
INFO: kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
INFO: kex: server: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
INFO: kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
INFO: kex: server: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
INFO: kex: server: none,[email protected]
INFO: kex: server: none,[email protected]
INFO: kex: server: 
INFO: kex: server: 
INFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client: 
INFO: kex: client: 
INFO: kex: server->client aes128-ctr hmac-sha1 none
INFO: kex: client->server aes128-ctr hmac-sha1 none
INFO: SSH_MSG_KEX_ECDH_INIT sent
INFO: expecting SSH_MSG_KEX_ECDH_REPLY
INFO: Host 'example.host.com' is known and matches the ECDSA host key
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
INFO: Disconnecting from example.host.com port 22
Exception in thread "main" com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:519)
    at com.jcraft.jsch.Session.connect(Session.java:183)
    at MainKt.main(Main.kt:37)
    at MainKt.main(Main.kt)

ssh -vvv output:

OpenSSH_8.2p1 Ubuntu-4, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "example.host.com" port 22
debug2: ssh_connect_direct
debug1: Connecting to example.host.com [51.83.250.141] port 22.
debug1: Connection established.
debug1: identity file /path/to/id_rsa type 0
debug1: identity file /path/to/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3
debug1: match: OpenSSH_8.9p1 Ubuntu-3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to dev.sages.pl:22 as 'sages-devops'
debug3: hostkeys_foreach: reading file "/path/to/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /path/to/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from example.host.com
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected],zlib
debug2: compression stoc: none,[email protected],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,[email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:QcwhazMtZl/qgVMu6FLP+vLtUEmo6yDULBaK8+4SHnI
debug3: hostkeys_foreach: reading file "/path/to/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /path/to/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from dev.sages.pl
debug3: hostkeys_foreach: reading file "/path/to/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /path/to/known_hosts:6
debug3: load_hostkeys: loaded 1 keys from 51.83.250.141
debug1: Host 'example.host.com' is known and matches the ECDSA host key.
debug1: Found key in /path/to/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /path/to/id_rsa RSA SHA256:FxKSoi+/DPu0D6JZczCPMdydLyWuuKFFPeMEzdsiFkU explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected]>
debug1: kex_input_ext_info: [email protected] (unrecognised)
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /path/to/id_rsa RSA SHA256:FxKSoi+/DPu0D6JZczCPMdydLyWuuKFFPeMEzdsiFkU explicit
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /path/to/id_rsa RSA SHA256:FxKSoi+/DPu0D6JZczCPMdydLyWuuKFFPeMEzdsiFkU explicit
debug3: sign_and_send_pubkey: RSA SHA256:FxKSoi+/DPu0D6JZczCPMdydLyWuuKFFPeMEzdsiFkU
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:FxKSoi+/DPu0D6JZczCPMdydLyWuuKFFPeMEzdsiFkU
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to example.host.com ([51.83.250.141]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 4
debug1: Remote: /home/username/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /home/username/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug1: Sending environment.
debug3: Ignored env SHELL
debug3: Ignored env WSL_DISTRO_NAME
debug3: Ignored env JAVA_HOME
debug3: Ignored env SDKMAN_CANDIDATES_DIR
debug3: Ignored env NAME
debug3: Ignored env PWD
debug3: Ignored env LOGNAME
debug3: Ignored env HOME
debug1: Sending env LANG = C.UTF-8
debug2: channel 0: request env confirm 0
debug3: send packet: type 98
debug3: Ignored env WSL_INTEROP
debug3: Ignored env LS_COLORS
debug3: Ignored env WAYLAND_DISPLAY
debug3: Ignored env SDKMAN_VERSION
debug3: Ignored env LESSCLOSE
debug3: Ignored env TERM
debug3: Ignored env LESSOPEN
debug3: Ignored env USER
debug3: Ignored env SDKMAN_DIR
debug3: Ignored env DISPLAY
debug3: Ignored env SHLVL
debug3: Ignored env SDKMAN_CANDIDATES_API
debug3: Ignored env XDG_RUNTIME_DIR
debug3: Ignored env WSLENV
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env PATH
debug3: Ignored env SDKMAN_PLATFORM
debug3: Ignored env HOSTTYPE
debug3: Ignored env PULSE_SERVER
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Weevil answered 24/6, 2022 at 12:5 Comment(0)
O
15

Your OpenSSH ssh connection is using rsa-sha2-512 key signature. While that does not prove that your server requires it, it's quite probable that it does.


JSch does not support rsa-sha2. And as JSch seems not to be updated anymore, it quite likely never will.

There's a fork of JSch that does though:
https://github.com/mwiede/jsch
At least test it, to verify that this is indeed the issue.


Another (less secure obviously) option is to reconfigure the server not to require the rsa-sha2 by adding deprecated ssh-rsa to PubkeyAcceptedAlgorithms.


Others might be getting the same error for different reasons. For example, when expecting the JSch to automatically pickup the default OpenSSH keys:
Getting "com.jcraft.jsch.JSchException: Auth fail" – but "ssh" can login using public key authentication

Opalina answered 27/6, 2022 at 11:26 Comment(1)
For everyone stumbling on this when using [Jenkins SSH plugin][1]: 1. you can download the replacement library from repo1.maven.org/maven2/com/github/mwiede/jsch/0.2.7/… 2. replace the old library in the Docker container at /var/jenkins_home/plugins/jsch/WEB-INF/lib/jsch-0.1.55.jar as an example: docker cp jsch-0.2.7.jar e6cd5d7516cd:/var/jenkins_home/plugins/jsch/WEB-INF/lib/jsch-0.1.55.jar It cannot be done at Docker build time since /var/jenkins_home/ it's usually mounted as a persistent volume. [1]: plugins.jenkins.io/sshShantel
W
1

There are a few things that it could be. For example:

  1. Check that the ownership and permissions on /home/username/.ssh and /home/username/.ssh/authorized_keys are correct. Both should be owned by username and should not group or world writeable. The sshd on many systems will not allow login if the account is improperly secured.

  2. Check that the authorized_keys file isn't mangled; e.g. newlines in the wrong place.

  3. Check that you are starting the session with the correct host with the correct username.

  4. Check on the server that /home/username matches what /etc/passwd file says is the home directory for username.

  5. Could you have triggered fail2ban or similar with repeated login attempts with incorrect credentials.


If it is none of the above

  1. Look at the Jcsh log file. Compare it with what happens when you connect by hand using ssh -vvv.

  2. Look in the server-side security log file to see if it tells you why sshd refused the login.

  3. Temporarily run sshd with full debugging enabled, and look for clues in the logs.

Wyly answered 24/6, 2022 at 13:51 Comment(3)
OP wrote that "Test connection in the terminal: ssh -i /path/to/id_rsa [email protected] - works fine"Opalina
Even so. I have seen far too many questions where someone says "x worked fine" ... and they go back and check ... and it doesn't anymore, or they were not doing "x" but "y", or something. My advice: Check it again!Wyly
It is also possible that in "sanitizing" the problem for posting the problem on StackOverflow, the OP has accidentally obscured the real cause; e.g. typos in the user name, hostname, etc. That also happens ...Wyly

© 2022 - 2024 — McMap. All rights reserved.