Re: [jgit-dev] JGit Doesn't check StrictHostKeyChecking Parameter Value

[Duft Markus <Markus.Duft@xxxxxxxxxx>]

I don’t think this is a host key problem anymore. It sounds more like the server rejects the key/passphrase. Does the key have a phrase? If yes, how do you pass it to jsch? If no – does the other side know the correct public key?

 

We typically get this kinds of problems when:

1)      The username is wrong

2)      The keys do not match at all (wrong private key chosen, wrong public key on server, …) – I usually test this with command line ssh

3)      The private key requires a passphrase but none is given due to headless-ness (no UI that asks, and nothing set to get the phrase otherwise)

 

HTH,

Markus

 

Von: Isuru Haththotuwa [mailto:isurulucky@xxxxxxxxx]
Gesendet: Dienstag, 4. Dezember 2012 13:04
An: Duft Markus
Cc: Tomasz Zarna; JGit Developers list
Betreff: Re: [jgit-dev] JGit Doesn't check StrictHostKeyChecking Parameter Value in the .ssh Folder?

 

Hi,

Thanks for the sugession, tried it out. But I still get the 'Auth fail' error:

org.eclipse.jgit.api.errors.TransportException: git@xxxxxxxxxxxx:test.org/test_repo.git: Auth fail
    at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:137)
    at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:178)
    at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:125)
    at GitTest.cloneRepo(GitTest.java:109)
    at GitTest.main(GitTest.java:223)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: org.eclipse.jgit.errors.TransportException: git@xxxxxxxxxxxx:test.org/test_repo.git: Auth fail
    at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:142)
    at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:121)
    at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:248)
    at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:147)
    at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:136)
    at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:122)
    at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1104)
    at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:128)
    ... 9 more
Caused by: com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:491)
    at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:116)
    ... 16 more

So I guess I will have to get hold of the JSch code and debug through it :| If anyone here has the slightest idea about this, do please let me know so that I can try it out.

On Tue, Dec 4, 2012 at 1:10 PM, Duft Markus <Markus.Duft@xxxxxxxxxx> wrote:

Hi

 

The approach I use at our company for house-internal servers is (for Eclipse) an additional plugin, which overrides the JGit SshSessionFactory and replaces it with one that disables host key verification. This method is called from my plugins Activator:

 

public void disableHostVerification() {

        // force loading of the egit plugin, to activate egits ssh transport provider.

        BundleContext context = Activator.getContext();

        for (Bundle bundle : context.getBundles()) {

            if (bundle.getSymbolicName().equals("org.eclipse.egit.ui")) {

                try {

                    bundle.start(Bundle.START_TRANSIENT);

                } catch (Exception ex) {

                    printLog("failed to disable host key verification; failed to start egit bundle.");

                    ex.printStackTrace(console.outErr);

                }

            }

        }

 

        SshSessionFactory.setInstance(new AnyHostSshSessionFactory());

    }

 

The force-loading of egit is only necessary if you have it ofc (egit also sets another factory, which I want to get rid of in this case), otherwise just set the factory. I’ll attach the two other relevant files. J

 

HTH,

Markus

 

Von: jgit-dev-bounces@xxxxxxxxxxx [mailto:jgit-dev-bounces@xxxxxxxxxxx] Im Auftrag von Isuru Haththotuwa
Gesendet: Montag, 3. Dezember 2012 14:51
An: Tomasz Zarna
Cc: JGit Developers list
Betreff: Re: [jgit-dev] JGit Doesn't check StrictHostKeyChecking Parameter Value in the .ssh Folder?

 

Hi all,

I think this issue can be solved if we can specify the key and known host file manually. In JSch, we can do it as follows:

JSch jsch = new JSch();

        try {
            jsch.addIdentity(".ssh/id_rsa");
            jsch.setKnownHosts(".ssh/known_hosts");
        } catch (JSchException e) {
            e.printStackTrace(); 
        }

But, how do I make JGit use this private key file and the known hosts file? Is there a way to set the jsch object? Apart from creating a new configuration for SshSessionFactory by subclassing JschConfigSessionFactory and overriding the configure(OpenSshConfig.Host host, Session session) method, I could not find a way to do this. What I did was:

public class CustomJschConfigSessionFactory extends JschConfigSessionFactory {
    @Override
    protected void configure(OpenSshConfig.Host host, Session session) {
        session.setConfig("StrictHostKeyChecking", "yes");
    }
}

In the client class which accesses the Git repo:

jschConfigSessionFactory = new CustomJschConfigSessionFactory();

JSch jsch = new JSch();

        try {
            jsch.addIdentity(".ssh/id_rsa");
            jsch.setKnownHosts(".ssh/known_hosts");
        } catch (JSchException e) {
            e.printStackTrace(); 
        }

SshSessionFactory.setInstance(jschConfigSessionFactory);

Think this is the approach, but still there is a missing bit somewhere. I get a new exception as well now, saying 'reject HostKey'.

Any help is greatly appreciated!

On Mon, Dec 3, 2012 at 3:36 PM, Isuru Haththotuwa <isurulucky@xxxxxxxxx> wrote:

Yes, I was using 0.1.42. However, I tried with 0.1.49 now and still get the same error.

 

On Mon, Dec 3, 2012 at 3:24 PM, Tomasz Zarna <tzarna@xxxxxxxxx> wrote:

What version of JSch are you using? From the stack trace it doesn't
look like the latest 0.1.49.

Cheers

On Mon, Dec 3, 2012 at 10:16 AM, Isuru Haththotuwa <isurulucky@xxxxxxxxx> wrote:
> com.jcraft.jsch.Session.

--
Thanks and Regards,
Isuru

--
Thanks and Regards,
Isuru

         
--  
Salomon Automation GmbH - Friesachstrasse 15 - A-8114 Friesach bei Graz
Sitz der Gesellschaft: Friesach bei Graz
UID-NR:ATU28654300 - Firmenbuchnummer: 49324 K
Firmenbuchgericht: Landesgericht für Zivilrechtssachen Graz

--
Thanks and Regards,
Isuru