javaloggingssh

JSch SSH Authentication Failure with Private Key (Auth fail error)

JSch Log [level 1]: Connecting to 10.***.150 port 22
JSch Log [level 1]: Connection established
JSch Log [level 1]: Remote version string: SSH-2.0-OpenSSH_8.7
JSch Log [level 1]: Local version string: SSH-2.0-JSCH-0.1.54
JSch Log [level 1]: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
JSch Log [level 1]: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
JSch Log [level 1]: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
JSch Log [level 1]: SSH_MSG_KEXINIT sent
JSch Log [level 1]: SSH_MSG_KEXINIT received
JSch Log [level 1]: kex: server: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
JSch Log [level 1]: kex: server: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
JSch Log [level 1]: kex: server: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
JSch Log [level 1]: kex: server: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
JSch Log [level 1]: kex: server: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
JSch Log [level 1]: kex: server: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
JSch Log [level 1]: kex: server: none,zlib@openssh.com
JSch Log [level 1]: kex: server: none,zlib@openssh.com
JSch Log [level 1]: kex: server: 
JSch Log [level 1]: kex: server: 
JSch Log [level 1]: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
JSch Log [level 1]: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
JSch Log [level 1]: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
JSch Log [level 1]: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
JSch Log [level 1]: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
JSch Log [level 1]: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
JSch Log [level 1]: kex: client: none
JSch Log [level 1]: kex: client: none
JSch Log [level 1]: kex: server->client aes128-ctr hmac-sha1 none
JSch Log [level 1]: kex: client->server aes128-ctr hmac-sha1 none
JSch Log [level 1]: SSH_MSG_KEX_ECDH_INIT sent
JSch Log [level 1]: expecting SSH_MSG_KEX_ECDH_REPLY
JSch Log [level 2]: Permanently added '10.***.150' (ECDSA) to the list of known hosts.
JSch Log [level 1]: SSH_MSG_NEWKEYS sent
JSch Log [level 1]: SSH_MSG_NEWKEYS received
JSch Log [level 1]: SSH_MSG_SERVICE_REQUEST sent
JSch Log [level 1]: SSH_MSG_SERVICE_ACCEPT received
JSch Log [level 1]: Authentications that can continue: gssapi-with-mic,publickey,keyboard-interactive,password
JSch Log [level 1]: Next authentication method: gssapi-with-mic
JSch Log [level 1]: Authentications that can continue: publickey,keyboard-interactive,password
JSch Log [level 1]: Next authentication method: publickey
JSch Log [level 1]: Authentications that can continue: password
JSch Log [level 1]: Next authentication method: password
JSch Log [level 1]: Disconnecting from 10.***.150 port 22
com.jcraft.jsch.JSchException: Auth fail

String privateKey = "-----BEGIN RSA PRIVATE KEY----- .......-----END RSA PRIVATE KEY-----"; 
    byte[] privateKeyBytes = privateKey.getBytes(StandardCharsets.UTF_8);
    
    jsch.addIdentity("id_rsa", privateKeyBytes, null, null); // no passphrase
    
    JSch.setLogger(new Logger() {
        public boolean isEnabled(int level) {
            return level <= 3; // 3 is the highest verbosity
        }
        public void log(int level, String message) {
            System.out.println("JSch Log [level " + level + "]: " + message);
        }
    });
    
    session = jsch.getSession(user, host, 22);
    session.setConfig("StrictHostKeyChecking", "no");
    session.setConfig("LogLevel", "DEBUG");
    session.connect();
    System.out.println("Connected to the server!");
    
    ChannelSftp sftp = (ChannelSftp) session.openChannel("sftp");
    sftp.connect();
    sftp.disconnect();

What I’ve Done

Converted .ppk to OpenSSH format using PuTTYgen.

Copied the public key to the server’s ~/.ssh/authorized_keys.

Set correct permissions on ~/.ssh and authorized_keys.

Embedded the private key as a string in Java and loaded it using jsch.addIdentity(...).

Verified there’s no passphrase.

Enabled detailed logging in JSch

Why is JSch failing public key authentication even though the key format and authorized_keys setup seem correct? What else should I check or correct?

Solution

  • Solution for SSH Authentication Failure Using JSch and Alternative with Apache Mina SSHD

    Refer Link - https://www.javacodegeeks.com/show-every-file-on-a-remote-server-in-java.html

    After trying different solutions and approaches, I shifted to using Apache Mina SSHD as an alternative to JSch. The Mina SSHD library provided a more reliable way to handle private key-based authentication and SFTP operations.

    URL url = AccessUtil.class.getResource("/templates/Key/id_rsa");
if (url == null) {
    throw new IllegalArgumentException("Private key file not found in resources.");
}

Path privateKeyPath = null;
try {
    privateKeyPath = Paths.get(url.toURI());
} catch (URISyntaxException e1) {
    e1.printStackTrace();
}

try (SshClient client = SshClient.setUpDefaultClient()) {
    client.setServerKeyVerifier(AcceptAllServerKeyVerifier.INSTANCE); 
    client.start();

    try (ClientSession session = client.connect("username", "hostname", 22).verify().getSession()) {
        FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(Collections.singletonList(privateKeyPath));
        Iterable<KeyPair> keyPairs = fileKeyPairProvider.loadKeys(null);
        for (KeyPair keyPair : keyPairs) {
            session.addPublicKeyIdentity(keyPair);
        }

        session.auth().verify();

        // SFTP Client
        SftpClientFactory factory = SftpClientFactory.instance();
        SftpClient sftpClient = factory.createSftpClient(session);
        listFiles(sftpClient, "/path/to/directory"); 
    }

    client.stop();
} catch (IOException e) {
    e.printStackTrace();
}