Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Public RSA-key of host is not verified

See original GitHub issue

I’m new to sshj and I try to solve the following problem of verifying the identity of the host to connect to. The host is an SSH server that only provides its public key using the ssh-rsa host key algorithm (and not the ssh-ed25519 algorithm, too).

I use the following code to do the verification:

PublicKey publicKey = new Buffer.PlainBuffer(Base64.decode(“…”)).readPublicKey(); sshClient.addHostKeyVerifier(SecurityUtils.getFingerprint(publicKey));

whereas “…” contains the public key that can be listed requested from the host using the command ssh-keyscan -t rsa <host>.

The SSHClient uses the default configuration.

If I run this code on my machine (in this case the target host is the localhost), I get the following exception: ERROR n.s.s.t.KeyExchanger - Disconnecting because none of the configured Host key verifiers ([net.schmizz.sshj.transport.verification.FingerprintVerifier$1@73f0d46f]) could verify ‘ssh-ed25519’ host key with fingerprint ca:5f:e9:2b:79:58:5c:0e:a5:b3:28:b5:51:9a:54:d2 for localhost:22 ERROR n.s.s.t.TransportImpl - Dying because - Could not verify ssh-ed25519 host key with fingerprint ... for localhost on port 22 net.schmizz.sshj.transport.TransportException: Could not verify ssh-ed25519 host key with fingerprint ... for localhost on port 22 at net.schmizz.sshj.transport.KeyExchanger.verifyHost(KeyExchanger.java:211) at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:365) at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:503) at net.schmizz.sshj.transport.Decoder.decodeMte(Decoder.java:159) at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:79) at net.schmizz.sshj.transport.Decoder.received(Decoder.java:231) at net.schmizz.sshj.transport.Reader.run(Reader.java:59) ERROR n.s.c.Promise - <<kex done>> woke to: net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify ssh-ed25519 host key with fingerprint ... for localhost on port 22

I wonder why sshj still wants to use ssh-ed25519 for verification as the method KeyType.fromKey(publicKey) prints ssh-rsa.

I know that I can use sshClient.addHostKeyVerifier(new PromiscuousVerifier()); to circumvent the problem, but that is not the solution I’m looking for.

So the question is how I can verify the host key if I only have an RSA ciphered public key of the host?

I found out, that if I use an explicit DefaultConfiguation like this: DefaultConfig defaultConfig = new DefaultConfig(); defaultConfig.setSignatureFactories(new SignatureRSA.Factory()); and pass this to the constructor of the SSHClient the exception disappears.

I do not understand why the default configuration which consists of several preregistered signature factories (and the factory above is already present) will not work as expected. I suppose that all registered signature factories are used to verify the hosts public key. To me this looks like an error.

BTW: I’m using version 0.27.0 of sshj.

Kind regards, Marcus

Issue Analytics

  • State:open
  • Created 4 years ago
  • Reactions:5
  • Comments:9 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
nicofabrecommented, Feb 25, 2021

Thank you @oakkitten for the explanations. It allowed me to limit to RSA and now it works.

    DefaultConfig conf = new DefaultConfig();
    conf.setSignatureFactories(new SignatureRSA.Factory());
    SSHClient ssh = new SSHClient(conf);
0reactions
WorkDayHeyHeycommented, Aug 10, 2021

This is makes it very hard to imagine using SSHJ in production. It seems the above solution is OBE, there is no DefaultConfig.setSignatureFactories now.

By looping threw making each type of key the first choice, I am able to connect to all the hosts I have tried so far. You have to do extra work to keep SSHJ from killing your thread.

This is in Scala, I’m sure you can figure out how to do the same in java.

Logging is LOUD! There are a lot of messages generated doing this, so logback.xml is worth while, even then some are ERRORs.

 val algs: List[Factory.Named[KeyAlgorithm]] = List(
    KeyAlgorithms.ECDSASHANistp256(),
    KeyAlgorithms.ECDSASHANistp521(),
    KeyAlgorithms.ECDSASHANistp384(),
    KeyAlgorithms.SSHRSA(),
    KeyAlgorithms.RSASHA256(),
    KeyAlgorithms.RSASHA512(),
    KeyAlgorithms.EdDSA25519(),
    KeyAlgorithms.SSHRSACertV01(),
    KeyAlgorithms.SSHDSSCertV01(),
    KeyAlgorithms.SSHDSA()
  )

  /**
   *
   * @param hostname -- host to connect to
   * @return -- The authenticated SSHClient or None if no authentication succeeds
   */
  def makeConnection(hostname: String, user: String): Option[SSHClient] = {
    var result: Option[SSHClient] = None
    for {alg <- algs if result.isEmpty} {
      val test = new Thread(() => {
        try {
          val conf = new DefaultConfig
          conf.setKeyAlgorithms(List(alg).asJava)
          val ssh = new SSHClient(conf)
          ssh.loadKnownHosts()
          ssh.connect(hostname)
          ssh.authPublickey(user)
          if (ssh.isAuthenticated) {
            result = Some(ssh)
          }
        } catch {
          case tx: TransportException if tx.getDisconnectReason != DisconnectReason.HOST_KEY_NOT_VERIFIABLE =>
            throw tx
        }
      })
      test.start()
      test.join()
    }
    result
  }
Read more comments on GitHub >

github_iconTop Results From Across the Web

How to fix 'Host key verification failed' SSH Error
This error occurs when the target server you are trying to SSH into has been rebuilt or had it's RSA key changed since...
Read more >
Verify the server using the public RSA key - ssh - Stack Overflow
I have the RSA version 2 public key from the server I want to connect to. Where do I save this key so...
Read more >
SSH connection problem with "Host key verification failed ...
"Host key verification failed" means that the host key of the remote host was changed. SSH stores the host keys of the remote...
Read more >
How to fix 'Host key verification failed' SSH Error
The RSA key on the Openbridge Server was changed and your SSH client is ... to the same server, the SSH connection will...
Read more >
How do I validate an RSA SSH public key file (id_rsa.pub)?
... Dennis Kaarsemaker (RSA) dennis@lightning:~$ ssh-keygen -l -f foo.txt foo.txt is not a public key file.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Sending data to stdin of remote process - closing has no effect ->remote process waits indefinitely

Next page

Another Exhausted available authentication methods