JSch SFTP security with session.setConfig(“StrictHostKeyChecking”, “no”);

柔情痞子 提交于 2019-12-17 09:57:49

问题


I use JSch with private key to FTP file

  1. jsch.addIdentity(privatekeyfile);
  2. Session session = jsch.getSession( "user", "domain.com" ,22);
  3. session.setConfig("StrictHostKeyChecking", "no");

Line 3 is in question. Without this line, JSch does not work.

My question is: Will line 3 make SFTP transfer insecure?


回答1:


Disabling the StrictHostKeyChecking option will make the connection less secure than having the option enabled, because it will let you connect to remote servers without verifying their SSH host keys. If the option is enabled, you will only be able to connect to servers which keys are known to your SSH client.

You will have to decide what that means for your specific use case - are the servers you are connecting on a private, local network or do you connect over the internet? Is this a testing or production environment?

When in doubt, it is better to err on the side of more security. I would recommend enabling StricktHostKeyChecking and using the setKnownHosts method to provide a file which contains the remote host keys.




回答2:


Yes, it will make the connection (and the transfer) less secure. Particularly, it makes the connection open to Man-in-the-middle attacks.

You should never set the StrictHostKeyChecking to no, unless you do not care about security (such as when connecting within a private network).

It's not true that "Without this line, JSch does not work". You just have to make your code accept the expected server's host key. Either via the setKnownHosts or the setHostKeyRepository methods.

For examples, see How to resolve Java UnknownHostKey, while using JSch SFTP library?


You can read my article on verifying the host key to understand its importance. It's about WinSCP SSH/SFTP client, but it's generally true for any SSH client/library.



来源:https://stackoverflow.com/questions/30178936/jsch-sftp-security-with-session-setconfigstricthostkeychecking-no

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!