sshj: Version 0.33.0+ fails authentication using RSA unencrypted private key
When using a RSA unencrypted private key (no passphrase), version 0.32.0 works fine but on version 0.33.0 onwards fails authenticating. Also I tested with an SFTP server that uses ssh-dss host algorithm.
Sample code:
var sshClient = new SSHClient();
// also tested loading known hosts and keeps failing
sshClient.addHostKeyVerifier(new PromiscuousVerifier());
sshClient.setConnectTimeout(30000);
sshClient.setTimeout(30000);
sshClient.connect("ftpserver");
final var keyProvider = sshClient.loadKeys("/tmp/id_rsa");
sshClient.auth("user", new AuthPublickey(keyProvider));
Trace when failing with version 0.33.0:
2023-03-14 12:52:39,760 INFO [main] net.schmizz.sshj.transport.random.JCERandom: Creating new SecureRandom.
2023-03-14 12:52:39,762 DEBUG [main] net.schmizz.sshj.transport.random.JCERandom: Random creation took 1 ms
2023-03-14 12:52:39,805 DEBUG [main] net.schmizz.sshj.DefaultConfig: Available cipher factories: [chacha20-poly1305@openssh.com, aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, blowfish-cbc, blowfish-ctr, cast128-cbc, cast128-ctr, idea-cbc, idea-ctr, serpent128-cbc, serpent128-ctr, serpent192-cbc, serpent192-ctr, serpent256-cbc, serpent256-ctr, 3des-cbc, 3des-ctr, twofish128-cbc, twofish128-ctr, twofish192-cbc, twofish192-ctr, twofish256-cbc, twofish256-ctr, twofish-cbc, arcfour, arcfour128, arcfour256]
2023-03-14 12:52:39,991 INFO [main] net.schmizz.sshj.transport.TransportImpl: Client identity string: SSH-2.0-SSHJ_0.33.0
2023-03-14 12:52:40,159 INFO [main] net.schmizz.sshj.transport.TransportImpl: Server identity string: SSH-2.0-9.99 sshlib
2023-03-14 12:52:40,160 DEBUG [main] net.schmizz.sshj.transport.KeyExchanger: Sending SSH_MSG_KEXINIT
2023-03-14 12:52:40,162 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Received packet KEXINIT
2023-03-14 12:52:40,162 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.KeyExchanger: Received SSH_MSG_KEXINIT
2023-03-14 12:52:40,164 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.KeyExchanger: Negotiated algorithms: [ kex=diffie-hellman-group-exchange-sha256; sig=ssh-dss; c2sCipher=aes128-cbc; s2cCipher=aes128-cbc; c2sMAC=hmac-sha1; s2cMAC=hmac-sha1; c2sComp=none; s2cComp=none; ]
2023-03-14 12:52:40,177 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.kex.AbstractDHGex: Sending KEX_DH_GEX_REQUEST
2023-03-14 12:52:40,519 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Received packet KEXDH_31
2023-03-14 12:52:40,519 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.KeyExchanger: Received kex followup data
2023-03-14 12:52:40,520 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.kex.AbstractDHGex: Got message KEXDH_31
2023-03-14 12:52:40,520 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.kex.AbstractDHGex: Received server p bitlength 2048
2023-03-14 12:52:40,551 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.kex.AbstractDHGex: Sending KEX_DH_GEX_INIT
2023-03-14 12:52:40,724 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Received packet KEX_DH_GEX_REPLY
2023-03-14 12:52:40,725 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.KeyExchanger: Received kex followup data
2023-03-14 12:52:40,725 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.kex.AbstractDHGex: Got message KEX_DH_GEX_REPLY
2023-03-14 12:52:40,778 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.KeyExchanger: Trying to verify host key with net.schmizz.sshj.transport.verification.PromiscuousVerifier@56cb82ac
2023-03-14 12:52:40,779 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.KeyExchanger: Sending SSH_MSG_NEWKEYS
2023-03-14 12:52:40,779 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.Encoder: Encoding packet #3: 15
2023-03-14 12:52:40,779 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.Decoder: Received packet #3: 15
2023-03-14 12:52:40,779 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Received packet NEWKEYS
2023-03-14 12:52:40,779 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.KeyExchanger: Received SSH_MSG_NEWKEYS
2023-03-14 12:52:40,782 DEBUG [main] net.schmizz.sshj.SSHClient: Key exchange took 0.622 seconds
2023-03-14 12:52:40,787 DEBUG [main] net.schmizz.sshj.transport.TransportImpl: Sending SSH_MSG_SERVICE_REQUEST for ssh-userauth
2023-03-14 12:52:41,187 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Received packet SERVICE_ACCEPT
2023-03-14 12:52:41,188 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Setting active service to ssh-userauth
2023-03-14 12:52:41,189 DEBUG [main] net.schmizz.sshj.userauth.UserAuthImpl: Trying `publickey` auth...
2023-03-14 12:52:41,189 DEBUG [main] net.schmizz.sshj.userauth.method.AuthPublickey: Attempting authentication using PKCS5KeyFile{resource=[PrivateKeyFileResource] /tmp/id_rsa}
2023-03-14 12:52:41,477 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Received packet USERAUTH_60
2023-03-14 12:52:41,478 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.userauth.UserAuthImpl: Asking `publickey` method to handle USERAUTH_60 packet
2023-03-14 12:52:41,478 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.userauth.method.AuthPublickey: Key acceptable, sending signed request
2023-03-14 12:52:41,478 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.userauth.method.AuthPublickey: Attempting authentication using PKCS5KeyFile{resource=[PrivateKeyFileResource] /tmp/id_rsa}
2023-03-14 12:52:41,658 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Received packet USERAUTH_FAILURE
2023-03-14 12:52:41,658 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.userauth.method.AuthPublickey: Attempting authentication using PKCS5KeyFile{resource=[PrivateKeyFileResource] /tmp/id_rsa}
2023-03-14 12:52:41,829 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Received packet USERAUTH_60
2023-03-14 12:52:41,829 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.userauth.UserAuthImpl: Asking `publickey` method to handle USERAUTH_60 packet
2023-03-14 12:52:41,829 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.userauth.method.AuthPublickey: Key acceptable, sending signed request
2023-03-14 12:52:41,829 DEBUG [sshj-Reader-ftpserver:22] net.schmizz.sshj.userauth.method.AuthPublickey: Attempting authentication using PKCS5KeyFile{resource=[PrivateKeyFileResource] /tmp/id_rsa}
2023-03-14 12:52:42,017 TRACE [sshj-Reader-ftpserver:22] net.schmizz.sshj.transport.TransportImpl: Received packet USERAUTH_FAILURE
2023-03-14 12:52:42,017 DEBUG [main] net.schmizz.sshj.userauth.UserAuthImpl: `publickey` auth failed
net.schmizz.sshj.userauth.UserAuthException: Exhausted available authentication methods
About this issue
- Original URL
- State: open
- Created a year ago
- Comments: 21 (11 by maintainers)
I can see one issue opened for the same and subsequent comments
https://github.com/hierynomus/sshj/issues/669
https://github.com/hierynomus/sshj/issues/526#issuecomment-895576566
@sergi-mm It sounds like the problem could be similar to issue #789.
If the SSH server is expecting the legacy
ssh-rsaalgorithm, it could be failing due to SSHJ attempting the newer rsa-sha2 algorithms first. This behavior can be changed using the config properties in SSHJ or invokingDefaultConfig.prioritizeSshRsaKeyAlgorithm().