JSch 的公钥身份验证失败，但使用相同的密钥使用 OpenSSH

Question

JSch 的公钥身份验证失败，但使用相同的密钥使用 OpenSSH

kos*_*wag 8 java ssh jsch kotlin private-key

我正在尝试使用 Kotlin + JSch 建立 SSH 连接，但失败并显示

\n

\n
com.jcraft.jsch.jSchException：身份验证失败
\n

\n

采取的步骤：

\n

ssh-keygen -t rsa -m PEM使用（OpenSSH 版本OpenSSH_8.2p1：）生成 SSH 密钥对
将生成的内容追加id_rsa.pub到/home/username/.ssh/authorized_keys服务器上的文件中
在终端中测试连接：ssh -i /path/to/id_rsa username@example.host.com\xe2\x80\x93 工作正常
执行以下 Kotlin 代码：

\n

import com.jcraft.jsch.JSch\n\nconst val USER = "username"\nconst val HOST = "example.host.com"\nconst val IDENTITY = "/path/to/id_rsa"\n\n\nfun main() {\n    val jsch = JSch().apply {\n        addIdentity(IDENTITY)\n        setKnownHosts("/path/to/known_hosts")\n    }\n\n    jsch.getSession(USER, HOST)\n        .connect()\n}\n

Run Code Online (Sandbox Code Playgroud)\n

...失败但有异常：

\n

import com.jcraft.jsch.JSch\n\nconst val USER = "username"\nconst val HOST = "example.host.com"\nconst val IDENTITY = "/path/to/id_rsa"\n\n\nfun main() {\n    val jsch = JSch().apply {\n        addIdentity(IDENTITY)\n        setKnownHosts("/path/to/known_hosts")\n    }\n\n    jsch.getSession(USER, HOST)\n        .connect()\n}\n

Run Code Online (Sandbox Code Playgroud)\n

这里可能有什么问题？

\n

JSch日志输出：

\n

Exception in thread "main" com.jcraft.jsch.JSchException: Auth fail\n    at com.jcraft.jsch.Session.connect(Session.java:519)\n    at com.jcraft.jsch.Session.connect(Session.java:183)\n    at MainKt.main(Main.kt:18)\n    at MainKt.main(Main.kt)\n

Run Code Online (Sandbox Code Playgroud)\n

ssh -vvv输出：

\n

INFO: Connecting to example.host.com port 22\nINFO: Connection established\nINFO: Remote version string: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3\nINFO: Local version string: SSH-2.0-JSCH-0.1.54\nINFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256\nINFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521\nINFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\nINFO: SSH_MSG_KEXINIT sent\nINFO: SSH_MSG_KEXINIT received\nINFO: kex: server: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\nINFO: kex: server: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519\nINFO: kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\nINFO: kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\nINFO: kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\nINFO: kex: server: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\nINFO: kex: server: none,zlib@openssh.com\nINFO: kex: server: none,zlib@openssh.com\nINFO: kex: server: \nINFO: kex: server: \nINFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1\nINFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\nINFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc\nINFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc\nINFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96\nINFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96\nINFO: kex: client: none\nINFO: kex: client: none\nINFO: kex: client: \nINFO: kex: client: \nINFO: kex: server->client aes128-ctr hmac-sha1 none\nINFO: kex: client->server aes128-ctr hmac-sha1 none\nINFO: SSH_MSG_KEX_ECDH_INIT sent\nINFO: expecting SSH_MSG_KEX_ECDH_REPLY\nINFO: Host \'example.host.com\' is known and matches the ECDSA host key\nINFO: SSH_MSG_NEWKEYS sent\nINFO: SSH_MSG_NEWKEYS received\nINFO: SSH_MSG_SERVICE_REQUEST sent\nINFO: SSH_MSG_SERVICE_ACCEPT received\nINFO: Authentications that can continue: publickey,keyboard-interactive,password\nINFO: Next authentication method: publickey\nINFO: Disconnecting from example.host.com port 22\nException in thread "main" com.jcraft.jsch.JSchException: Auth fail\n    at com.jcraft.jsch.Session.connect(Session.java:519)\n    at com.jcraft.jsch.Session.connect(Session.java:183)\n    at MainKt.main(Main.kt:37)\n    at MainKt.main(Main.kt)\n

Run Code Online (Sandbox Code Playgroud)\n

Answer 1

Mar*_*ryl 15

您的 OpenSSHssh连接正在使用rsa-sha2-512密钥签名。虽然这并不能证明您的服务器需要它，但很可能需要它。

\n

JSch 不支持rsa-sha2. 由于 JSch 似乎不再更新，它很可能永远不会更新。

\n

JSch 的一个分支可以做到这一点：
\n https://github.com/mwiede/jsch
\n至少对其进行测试，以验证这确实是问题所在。

\n

rsa-sha2另一个（显然不太安全）选项是通过将deprecated ssh-rsa添加到来重新配置服务器，使其不再需要PubkeyAcceptedAlgorithms.

\n

其他人可能会因为不同的原因而遇到相同的错误。例如，当期望 JSch 自动获取默认 OpenSSH 密钥时：
\n Getting "com.jcraft.jsch.JSchException: Auth failed" \xe2\x80\x93 but "ssh" can log using public key authentication

\n

对于使用 [Jenkins SSH 插件][1] 时遇到此问题的每个人： 1. 您可以从 https://repo1.maven.org/maven2/com/github/mwiede/jsch/0.2.7/jsch 下载替换库-0.2.7.jar 2. 替换 Docker 容器中的旧库 `/var/jenkins_home/plugins/jsch/WEB-INF/lib/jsch-0.1.55.jar` 例如： `docker cp jsch- 0.2.7.jar e6cd5d7516cd:/var/jenkins_home/plugins/jsch/WEB-INF/lib/jsch-0.1.55.jar` 由于 `/var/jenkins_home/` 通常安装为持久卷。[1]：https://plugins.jenkins.io/ssh/ (3认同)

归档时间：	3 年，7 月前
查看次数：	19604 次
最近记录：	3 年，3 月前