Previously JSch 0.1.48 was working fine but recently it has stopped working and throwing an exception
com.jcraft.jsch.JSchException: Auth fail
at com.jcraft.jsch.Session.connect(Session.java:484)
at com.jcraft.jsch.Session.connect(Session.java:162)
at ftptrial.main.TestTop.main(TestTop.java:52)
When I change the version of JSch to 0.1.49, it works fine. But I am not able to figure out the reason why.
session = jsch.getSession(userName, hostName, portNumber);
session.setPassword(password);
session.connect();
Log for JSch 0.1.48:
INFO: Connecting to abc.defg.com port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-1.82_sshlib GlobalSCAPE
INFO: Local version string: SSH-2.0-JSCH-0.1.48
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1
INFO: diffie-hellman-group14-sha1 is not available.
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: server: ssh-rsa
INFO: kex: server: twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
INFO: kex: server: zlib,none
INFO: kex: server: zlib,none
INFO: kex: server:
INFO: kex: server:
INFO: kex: client: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
INFO: kex: client: ssh-rsa,ssh-dss
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client:
INFO: kex: client:
INFO: kex: server->client aes128-cbc hmac-md5 none
INFO: kex: client->server aes128-cbc hmac-md5 none
INFO: SSH_MSG_KEXDH_INIT sent
INFO: expecting SSH_MSG_KEXDH_REPLY
INFO: ssh_rsa_verify: signature true
WARN: Permanently added 'abc.defg.com' (RSA) to the list of known hosts.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
INFO: Authentications that can continue: keyboard-interactive,password
INFO: Next authentication method: keyboard-interactive
INFO: Authentications that can continue: password
INFO: Next authentication method: password
INFO: Disconnecting from abc.defg.com port 22
com.jcraft.jsch.JSchException: Auth fail
Log for JSch 0.1.54
INFO: Connecting to abc.defg.com port 22
INFO: Connection established
INFO: Remote version string: SSH-2.0-1.82_sshlib GlobalSCAPE
INFO: Local version string: SSH-2.0-JSCH-0.1.54
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: diffie-hellman-group14-sha1 is not available.
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: server: ssh-rsa
INFO: kex: server: twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
INFO: kex: server: zlib,none
INFO: kex: server: zlib,none
INFO: kex: server:
INFO: kex: server:
INFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client:
INFO: kex: client:
INFO: kex: server->client aes128-cbc hmac-md5 none
INFO: kex: client->server aes128-cbc hmac-md5 none
INFO: SSH_MSG_KEX_DH_GEX_REQUEST(1024<1024<1024) sent
INFO: expecting SSH_MSG_KEX_DH_GEX_GROUP
INFO: SSH_MSG_KEX_DH_GEX_INIT sent
INFO: expecting SSH_MSG_KEX_DH_GEX_REPLY
INFO: ssh_rsa_verify: signature true
WARN: Permanently added 'abc.defg.com' (RSA) to the list of known hosts.
INFO: SSH_MSG_NEWKEYS sent
INFO: SSH_MSG_NEWKEYS received
INFO: SSH_MSG_SERVICE_REQUEST sent
INFO: SSH_MSG_SERVICE_ACCEPT received
INFO: Authentications that can continue: publickey,keyboard-interactive,password
INFO: Next authentication method: publickey
INFO: Authentications that can continue: keyboard-interactive,password
INFO: Next authentication method: keyboard-interactive
INFO: Authentication succeeded (keyboard-interactive).
Connection success
Both JSch 0.1.48 and JSch 0.1.49 are 5 years old. Do not use them!
Use the latest version of JSch (0.1.55 as of now).
I cannot explain the difference conclusively without more information, but as 0.1.54 actually successfully uses keyboard interactive authentication (comparing to unsuccessful password authentication in 0.1.48), I'd blame this change in UserAuthKeyboardInteractive.start:
0.1.48:
prompt[0].toLowerCase().startsWith("password:")){
0.1.49:
prompt[0].toLowerCase().indexOf("password:") >= 0){
Your code is actually attempting password authentication. But JSch has a heuristics, that if it gets keyboard interactive authentication prompt for a single password, it will use keyboard interactive authentication, not password authentication.
I'd guess that the prompt coming from your server is like
user password:
So 0.1.48 startsWith check does not capture the prompt, while 0.1.49 and newer indexOf check does.
If you do not want to rely on this heuristics, you should change your code to actually use keyboard interactive authentication.
See https://web.archive.org/web/20241207171838/http://www.jcraft.com/jsch/examples/UserAuthKI.java.html