With JSch I'm calling addIdentity() to add a private key and getSession() to open an SSH tunnel.
When running this code locally on my Windows machine the opening of the tunnel is working.
However when running that same code with the same private key on our CI the following error occurs:
2016-12-07 01:01:32 ERROR SSHConnector:25 - invalid privatekey: [B#4bb4de6a
com.jcraft.jsch.JSchException: invalid privatekey: [B#4bb4de6a
at com.jcraft.jsch.KeyPair.load(KeyPair.java:747)
at com.jcraft.jsch.KeyPair.load(KeyPair.java:561)
at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:408)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:389)
The private key looks something like this:
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: imported-openssh-key
Public-Lines: 6
XXXXXXXXXXXXXXXXXXX
Private-Lines: 14
XXXXXXXXXXXXXXXXXX
Private-MAC: XXXXXXXXXXXXXXXX
What could be the error here?
My problem was solved by using pem file instead of ppk.
pem file is in OpenSSH format that com.jcraft.jsch.JSch jar requires
My educated guess is that jSCh does not support PuTTY key format, but rather standard PEM or OpenSSH format. You can convert the PPK to PEM in the PuTTYgen and it should solve your problems.
Related
I trying to install HBase on a servers A and B (Ubuntu 18.04)
For that I using CDM (CDM 6.3.1~1466458.ubuntu1804) installed on server A to handle installation of HBASE on a server A and B.
But I have a problem during the step "Install Agents", the wizard display the following error message "Exhausted available authentication methods".
I have found some post on the Cloudera forum which speak about NOPASSWD to add into the sudoers file of the server B, but in my case I have already established a ssh connexion from the server A to the server B in command line and run a sudo command without any password, so I suppose my servers was correctly configured.
To be precise I trying to connect my servers by using a private key which I have generate a key couple in server A by using the following command :
ssh-keygen -t rsa
And after a add the content of the generated file .ssh/id_rsa.pub into the .ssh/authorized_keys file of server B After a retry I obtain the same result.
I found this trace in the log file:
2020-01-02 09:48:39,559 WARN NodeConfiguratorThread-22-0:com.cloudera.server.cmf.node.NodeConfigurator: Could not authenticate to SERVER_B net.schmizz.sshj.userauth.UserAuthException: Exhausted available authentication methods at net.schmizz.sshj.SSHClient.auth(SSHClient.java:232) at net.schmizz.sshj.SSHClient.auth(SSHClient.java:208) at com.cloudera.server.cmf.node.NodeConfigurator.connect(NodeConfigurator.java:416) at com.cloudera.server.cmf.node.NodeConfigurator.configure(NodeConfigurator.java:1028) at com.cloudera.server.cmf.node.NodeConfigurator.run(NodeConfigurator.java:1106) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
Caused by: net.schmizz.sshj.userauth.UserAuthException: Problem getting public key from PKCS8KeyFile{resource=[PrivateKeyStringResource]} at net.schmizz.sshj.userauth.method.KeyedAuthMethod.putPubKey(KeyedAuthMethod.java:46) at net.schmizz.sshj.userauth.method.AuthPublickey.buildReq(AuthPublickey.java:62) at net.schmizz.sshj.userauth.method.AuthPublickey.buildReq(AuthPublickey.java:81) at net.schmizz.sshj.userauth.method.AbstractAuthMethod.request(AbstractAuthMethod.java:63) at net.schmizz.sshj.userauth.UserAuthImpl.authenticate(UserAuthImpl.java:68) at net.schmizz.sshj.SSHClient.auth(SSHClient.java:226) ... 9 more
Caused by: java.io.IOException: unrecognised object: OPENSSH PRIVATE KEY at org.bouncycastle.openssl.PEMParser.readObject(Unknown Source) at net.schmizz.sshj.userauth.keyprovider.PKCS8KeyFile.readKeyPair(PKCS8KeyFile.java:132) at net.schmizz.sshj.userauth.keyprovider.PKCS8KeyFile.getPublic(PKCS8KeyFile.java:78) at net.schmizz.sshj.userauth.method.KeyedAuthMethod.putPubKey(KeyedAuthMethod.java:44)
... 14 more
Does anyone have an idea to help me?
I hit this exact same issue, and it turns out ssh-keygen creates a private key file with BEGIN OPENSSH PRIVATE KEY that the Java libraries Cloudera uses don't know how to parse. You can instead use openssl with a command like:
openssl genrsa -out mykey.pem 1024
Unlike ssh-keygen that won't give you the public key you need, and the builtin openssl commands to get a public key from a private key aren't in a format Cloudera accepts. For that, you can use ssh-keygen like so:
ssh-keygen -y -f mykey.pem > mykey.pub
So I have found the origin of the problem. I need to add the pub key from server A on server B but I need also from server B to server A. That's all
Sort of stuck on above. although i see there are questions asked on same topic, and have tried them but still no resort.
stack im using -> mac(mojave), Intellij, jdk8, generated key using puttygen on mac itself and looks like this, this is only for my local springboot config server.
i have tried 2 ways:
spring.cloud.config.server.git.private-key=-----BEGIN RSA PRIVATE KEY-----\n
MIIEowIBAAKCAQEAssBl7ZADFHBZrSnDPVhClH9HFzCaEPKEaO3MX7H5uBMTEL59\n
CLRguWdCQJnvv2L6vSLyBb9ds05DHEzE2OqkU5VzYX4CCrU7t1ktZmy3cwyNc0g0\n
ijJMInd47KG57Pi6nzpN/bVsLNiwRO3PZ7wUxgeQT6vh5euhBbTlvrFRbNMZm0Rf\n
....
..
,,,
F5vNwcngKk/tFFwX2XooikGliOCxHU66/KOckbNXqOaLBc+QlNsB\n
-----END RSA PRIVATE KEY-----
gives error:
APPLICATION FAILED TO START
Description:
Binding to target org.springframework.boot.context.properties.bind.BindException: Failed to bind properties under 'spring.cloud.config.server.git' to org.springframework.cloud.config.server.environment.MultipleJGitEnvironmentProperties failed:
Reason: Property 'spring.cloud.config.server.git.privateKey' is not a valid private key
2) spring.cloud.config.server.git.private-key=~/.ssh/temp/id_rsa
spring.cloud.config.server.git.ignore-local-ssh-settings=true
and still get the same error as i shared above.
3) there was a SO question where solution talked, that the key might not be created right.
Now i have using the same key for my normal development & been using it fine for a year & have the pub added to my bitbucket repo and it works fine. its our own repo(not git hub) i normally work fine with the key in ~/.ssh/id_rsa. So i created RSA private key from ~/.ssh/id_rsa file into a temp directory and using the same for the config server APP.
4) in the known hosts file, there are about 7 entries 1 of them is the bitbucket server. and its ssh-rsa.
was wondering if there a step-by-step guide or some sample someone can help me with please ?
Maybe this will help, user 'introtj' commented here https://github.com/spring-cloud/spring-cloud-config/issues/1392 and this helped me.
JGit requires RSA keys in PEM format. Below is an example ssh-keygen (from openssh) command that will generate a key in the corect format:
ssh-keygen -m PEM -t rsa -b 4096
Update 22-Apr-2021
So today I decided to switch from yml to properties and of course had the same error as above. I knew the key was good because it was working fine in the YAML format. After 2 hours of trial and error I managed to get it working:
spring.cloud.config.server.git.private-key= \
-----BEGIN RSA PRIVATE KEY-----\n\
your_key_here_your_key_here_you\n\
your_key_here_your_key_here_you\n\
your_key_here_your_key_here_you\n\
your_key_here_your_key_here_you\n\
your_key_here_your_key_here_you\n\
-----END RSA PRIVATE KEY-----\n
I am using spring boot 2.4.5 and spring cloud 2020.0.02
Let me know if it is working for you this solution.
Just add |
spring.cloud.config.server.git.private-key= |
----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA3Tz2mr7SZiAMfQyuvBjM9Oi..
RK+Lh9x5eJPo5CAZ3/ANBE0sTK0ZsDGMak2m1g7..
wnLe4nOb7/eEJbDPkk05ShhBrJGBKKxb8n104o/..
5A13wiLitEO7nco2WfyYkQzaxCw0AwzlkVHiIyC..
-----END RSA PRIVATE KEY-----
i'm trying to make a connection via ssh from windows to a unix server
my goal to have it in my java app so i cann run command without inputting passwords on each connect
right now i'm trying to understand what i'm doing wrong with keys
I generated a key in Tectia and uploaded it to server;
I can see it in .ssh as 2798 Apr 17 10:56 authorized_keys
my connection setup looks like this
...
JSch jsch = new JSch();
jsch.setKnownHosts("~/.ssh/know_hosts");
jsch.addIdentity("~/.ssh/authorized_keys");
System.out.println("identity added ");
Session session=jsch.getSession(user, host, 22);
session.setConfig("PreferredAuthentications", "publickey");
System.out.println("session created.");
session.connect();
System.out.println("Connected");
....
and as a result of this i'm getting this error
com.jcraft.jsch.JSchException: java.io.FileNotFoundException:
C:\Users\User\ .ssh\authorized_keys (The system cannot find the path
specified)
it's looking for the key on my local computer and not connecting to the server
what am I going wrong with these keys ?
The argument to addIdentity is a local path to your private key.
Instead, you are giving it a path to a file that:
Would contain a public key;
Does not exit locally anyway.
Can someone help to me to understand this error? Is is due to some configuration problem? Or is because the permissions are not properly set?
xyz#tatlo .globus]$ voms-proxy-init
Credentials couldn't be loaded
[/mnt/t3nfs01/data01/shome/xyz/.globus/userkey.pem,
/mnt/t3nfs01/data01/shome/xyz/.globus/usercert.pem]:
Can not load the PEM private key: java.io.IOException:
Can not load the PEM private key: no input data (empty source?)
No credentials found!
[xyz#tatlo .globus]$ ls
mycert.p12 usercert.pem userkey.pem
I hope you have configured VOMS server endpoints properly. Also, check if the credentials are in the correct directory.
They should generally go into $HOME/.globus directory. Certificates encoded in PKCS12 and PEM formats are correctly handled by the VOMS clients.
The default path for looking up PKCS12 credentials is:
$HOME/.globus/usercred.p12
Also, check the permissions set on the formats if not set accordingly.
Permissions on $HOME/.globus/usercred.p12 must be 600.
For PEM credentials the following paths are used:
$HOME/.globus/usercert.pem (certificate)
$HOME/.globus/userkey.pem (private key)
Permissions on the pem files must be:
644 for $HOME/.globus/usercert.pem
400 for $HOME/.globus/userkey.pem
In case both the PEM and PKCS12 formats are present, PEM takes precedence.
Refer link for more guidelines.
There are two questions about this exception already:
JSchException: UnknownHostKey and
com.jcraft.jsch.JSchException: UnknownHostKey
I am using a Windows machine and trying to connect to a VM created with Vagrant running Ubuntu. Here is my code:
public static void main(String[] args) {
String host = "localhost";
String username = "vagrant";
int port = 2200;
String privateKey = "C:\\keys\\openSSH_pair1\\open_ssh_private";
JSch js = new JSch();
try {
js.addIdentity(privateKey, "pass");
js.setKnownHosts("C:\\Users\\user\\.ssh\\known_hosts");
Session session = js.getSession(username, host, port);
session.connect();
System.out.println("Connected");
} catch (JSchException e) {
e.printStackTrace();
}
}
#Pascal suggests setting strictHostKeyChecking to no, which works for me, but this is not the preferred solution. His preferred solution is to SSH from the command line so that the host will be added to the known_hosts file. I have Git installed and executed ssh -i openSSH_pair1\open_ssh_private vagrant#localhost -p 2200
and received this output before being prompted for the pass phrase and establishing a connection
The authenticity of host '[localhost]:2200 ([127.0.0.1]:2200)' can't
be established. ECDSA key fingerprint is
11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5. Are you sure you want
to continue connecting (yes/no)? yes Warning: Permanently added
'[localhost]:2200' (ECDSA) to the list of known hosts.
So now my known_hosts file in git_home\.ssh contains an entry for localhost:2200, I also placed the known_hosts file into user_home\.ssh. I also put my private key on the VM I'm trying to ssh into and ran this to generate a public key and add it to the authorized_keys
ssh-keygen -y -f open_ssh_private > open_ssh_gen.pub
cat open_ssh_gen.pub >> ~/.ssh/authorized_keys
However I still get this exception
com.jcraft.jsch.JSchException: UnknownHostKey: localhost. RSA key fingerprint is 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3
at com.jcraft.jsch.Session.checkHost(Session.java:797)
at com.jcraft.jsch.Session.connect(Session.java:342)
at com.jcraft.jsch.Session.connect(Session.java:183)
at connect.Main.main(Main.java:24)
The answer to the other question suggests adding the below which doesn't work for me either
js.setKnownHosts("C:\\Users\\user\\.ssh\\known_hosts");
The problem is that you have added ECDSA host key to the known_hosts, as the ssh prefers that key type:
ECDSA key fingerprint is 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5.
But JSch prefers RSA key, which it won't find in the known_hosts:
RSA key fingerprint is 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3
You probably need JCE to enable ECDSA In JSch.
See JSch Algorithm negotiation fail.
Or make ssh use RSA key with -o HostKeyAlgorithms=ssh-rsa.
See How can I force SSH to give an RSA key instead of ECDSA?
You can also use ssh-keyscan:
ssh-keyscan -t rsa example.com