可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
I'm trying to use Jsch to establish an SSH connection in Java. My code produces the following exception:
com.jcraft.jsch.JSchException: UnknownHostKey: mywebsite.com. RSA key fingerprint is 22:fb:ee:fe:18:cd:aa:9a:9c:78:89:9f:b4:78:75:b4
I cannot find how to verify the host key in the Jsch documentation. I have included my code below.
import com.jcraft.jsch.JSch; import com.jcraft.jsch.Session; public class ssh { public static void main(String[] arg) { try { JSch jsch = new JSch(); //create SSH connection String host = "mywebsite.com"; String user = "username"; String password = "123456"; Session session = jsch.getSession(user, host, 22); session.setPassword(password); session.connect(); } catch(Exception e) { System.out.println(e); } } }
回答1:
I would either:
- Try to
ssh from the command line and accept the public key (the host will be added to ~/.ssh/known_hosts and everything should then work fine from Jsch) -OR- Configure JSch to not use "StrictHostKeyChecking" (this introduces insecurities and should only be used for testing purposes), using the following code:
java.util.Properties config = new java.util.Properties(); config.put("StrictHostKeyChecking", "no"); session.setConfig(config);
Option #1 (adding the host to the ~/.ssh/known_hosts file) has my preference.
回答2:
It is a security risk to avoid host key checking.
JSch uses HostKeyRepository interface and its default implementation KnownHosts class to manage this. You can provide an alternate implementation that allows specific keys by implementing HostKeyRepository. Or you could keep the keys that you want to allow in a file in the known_hosts format and call
jsch.setKnownHosts(knownHostsFileName);
Or with a public key String as below.
String knownHostPublicKey = "mysite.com ecdsa-sha2-nistp256 AAAAE............/3vplY"; jsch.setKnownHosts(new ByteArrayInputStream(knownHostPublicKey.getBytes()));
see Javadoc for more details.
This would be a more secure solution.
Jsch is open source and you can download the source from here. In the examples folder, look for KnownHosts.java to know more details.
回答3:
Depending on what program you use for ssh, the way to get the proper key could vary. Putty (popular with Windows) uses their own format for ssh keys. With most variants of Linux and BSD that I've seen, you just have to look in ~/.ssh/known_hosts. I usually ssh from a Linux machine and then copy this file to a Windows machine. Then I use something similar to
jsch.setKnownHosts("C:\\Users\\cabbott\\known_hosts");
Assuming I have placed the file in C:\Users\cabbott on my Windows machine. If you don't have access to a Linux machine, try http://www.cygwin.com/
Maybe someone else can suggest another Windows alternative. I find putty's way of handling SSH keys by storing them in the registry in a non-standard format bothersome to extract.
回答4:
While the question has been answered in general, I've found myself that there's a case when even existing known_hosts entry doesn't help. This happens when an SSH server sends ECDSA fingerprint and as a result, you'll have an entry like this:
|1|+HASH=|HASH= ecdsa-sha2-nistp256 FINGERPRINT=
The problem is that JSch prefers SHA_RSA and while connecting it will try to compare SHA-RSA fingerprint, which will result with error about "unknown host".
To fix this simply run:
$ ssh-keyscan -H -t rsa example.org >> known_hosts
or complain to Jcraft about prefering SHA_RSA instead of using the local HostKeyAlgorithms setting, although they don't seem to be too eager to fix their bugs.
回答5:
Supply the public rsa key of the host :-
String knownHostPublicKey = "mywebsite.com ssh-rsa AAAAB3NzaC1.....XL4Jpmp/"; session.setKnownHosts(new ByteArrayInputStream(knownHostPublicKey.getBytes()));
回答6:
You can also execute the following code. It is tested and working.
import com.jcraft.jsch.Channel; import com.jcraft.jsch.JSch; import com.jcraft.jsch.JSchException; import com.jcraft.jsch.Session; import com.jcraft.jsch.UIKeyboardInteractive; import com.jcraft.jsch.UserInfo; public class SFTPTest { public static void main(String[] args) { JSch jsch = new JSch(); Session session = null; try { session = jsch.getSession("username", "mywebsite.com", 22); //default port is 22 UserInfo ui = new MyUserInfo(); session.setUserInfo(ui); session.setPassword("123456".getBytes()); session.connect(); Channel channel = session.openChannel("sftp"); channel.connect(); System.out.println("Connected"); } catch (JSchException e) { e.printStackTrace(System.out); } catch (Exception e){ e.printStackTrace(System.out); } finally{ session.disconnect(); System.out.println("Disconnected"); } } public static class MyUserInfo implements UserInfo, UIKeyboardInteractive { @Override public String getPassphrase() { return null; } @Override public String getPassword() { return null; } @Override public boolean promptPassphrase(String arg0) { return false; } @Override public boolean promptPassword(String arg0) { return false; } @Override public boolean promptYesNo(String arg0) { return false; } @Override public void showMessage(String arg0) { } @Override public String[] promptKeyboardInteractive(String arg0, String arg1, String arg2, String[] arg3, boolean[] arg4) { return null; } } }
Please substitute the appropriate values.
回答7:
You can also simply do
session.setConfig("StrictHostKeyChecking", "no");
It's not secure and it's a workaround not suitable for live environment as it will disable globally known host keys checking.
回答8:
Just substitute "user", "pass", "SSHD_IP". And create a file called known_hosts.txt with the content of the server's ~/.ssh/known_hosts. You will get a shell.
public class Known_Hosts { public static void main(String[] arg) { try { JSch jsch = new JSch(); jsch.setKnownHosts("known_hosts.txt"); Session session = jsch.getSession("user", "SSHD_IP", 22); session.setPassword("pass"); session.connect(); Channel channel = session.openChannel("shell"); channel.setInputStream(System.in); channel.setOutputStream(System.out); channel.connect(); } catch (Exception e) { System.out.println(e); } } }
回答9:
Has anyone been able to solve this problem? I am using Jscp to scp files using public key authentication (i dont want to use password authentication). Help will be appreciated!!!
This stackoverflow entry is about the host-key checking, and there is no relation to the public key authentication.
As for the public key authentication, try the following sample with your plain(non ciphered) private key,
回答10:
setting known host is better than setting fingure print value.
When you set known host, try to manually ssh (very first time, before application runs) from the box the application runs.
回答11:
JSch jsch = new JSch(); Session session = null; try { session = jsch.getSession("user", "hostname", 22); // default UserInfo ui = new MyUserInfo(); session.setUserInfo(ui); session.setPassword("password".getBytes()); java.util.Properties config = new java.util.Properties(); config.put("StrictHostKeyChecking", "no"); session.setConfig(config); session.connect(); Channel channel = session.openChannel("sftp"); channel.connect(); System.out.println("Connected"); } catch (JSchException e) { e.printStackTrace(System.out); } catch (Exception e) { e.printStackTrace(System.out); } finally { session.disconnect(); System.out.println("Disconnected"); } }
回答12:
I lost a lot of time on this stupid issue, and i think the message is quite right "there is not the host in the file i'm accessing" but you can have more than a know_host file around on your system (as example i'm using mobaXterm and it keep it's own inside the installation directory mounting the home from that root).
If you are experiencing : it's working from command line but not form the application try to access to your remote server with ssh and check with verbose -v option which file is currently used an example following:
ssh -v git@gitlab.com OpenSSH_6.2p2, OpenSSL 1.0.1g 7 Apr 2014 debug1: Reading configuration data /etc/ssh_config debug1: Connecting to gitlab.com [104.210.2.228] port 22. debug1: Connection established. debug1: identity file /home/mobaxterm/.ssh/id_rsa type 1 debug1: identity file /home/mobaxterm/.ssh/id_rsa-cert type -1 debug1: identity file /home/mobaxterm/.ssh/id_dsa type -1 debug1: identity file /home/mobaxterm/.ssh/id_dsa-cert type -1 debug1: identity file /home/mobaxterm/.ssh/id_ecdsa type -1 debug1: identity file /home/mobaxterm/.ssh/id_ecdsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com zlib@openssh.com debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com zlib@openssh.com debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: RSA b6:03:0e:39:97:9e:d0:e7:24:ce:a3:77:3e:01:42:09 debug1: Host 'gitlab.com' is known and matches the RSA host key. debug1: Found key in /home/mobaxterm/.ssh/known_hosts:19 debug1: ssh_rsa_verify: signature correct
as you can see the key was found in :
debug1: Found key in /home/mobaxterm/.ssh/known_hosts:19
and not in my windows home under C:\Users\my_local_user\.ssh , i simply merged them and aligned for solve the issue.
Hope this help someone in future
