Re: [jgit-dev] JGit Doesn't check StrictHostKeyChecking Parameter Value

[Isuru Haththotuwa <isurulucky@xxxxxxxxx>]

Thank you very much for all the help everyone, I found the issue. The public key which the server had had another name, not the usual id_rsa.pub. If we do not specify specifically, JSch assumes the publick key to be in a file with the same name as the private key plus .pub suffix. That was the root cause.

On Tue, Dec 4, 2012 at 8:28 PM, Duft Markus <Markus.Duft@xxxxxxxxxx> wrote:

Other than what i wrote you i don’t override anything. I just use it this way:

 

        URIish uri = new URIish(repositoryUrl);

        if (username != null && !username.isEmpty()) {

            uri.setUser(username);

        }

        if (password != null && !password.isEmpty()) {

            uri.setPass(password);

        }

 

                FileUtils.mkdirs(destination);

 

        CloneOperation op = new CloneOperation(uri, true, null, destination, ref, remoteName,

                REMOTE_CONNECTION_TIMEOUT);

 

        try {

            op.run(monitor);

        } catch (InvocationTargetException e) {

            throw new RuntimeException(e.getCause());

        }

 

        RepositoryUtil util = org.eclipse.egit.core.Activator.getDefault().getRepositoryUtil();

        util.addConfiguredRepository(op.getGitDir());

 

        RepositoryCache cache = org.eclipse.egit.core.Activator.getDefault().getRepositoryCache();

        Repository repo = cache.lookupRepository(op.getGitDir());

 

Regards,

Markus

 

Von: Alex Blewitt [mailto:alex.blewitt@xxxxxxxxx]
Gesendet: Dienstag, 4. Dezember 2012 15:35
An: Isuru Haththotuwa
Cc: Duft Markus; JGit Developers list

Betreff: Re: [jgit-dev] JGit Doesn't check StrictHostKeyChecking Parameter Value in the .ssh Folder?

 

The hostname is wrong in the jsch setup - it shouldn't have the repository in it. 

config.put("HostName", "git.test.com:test.org/test_repo.git ");

config.put("HostName", "git.test.com");

Sent from my iPhone 4S

On 4 Dec 2012, at 13:35, Isuru Haththotuwa <isurulucky@xxxxxxxxx> wrote:

Ok, thanks for the information. I guess the username that you are referring here is in the following URL is 'git':

git@xxxxxxxxxxxx:test.org/test_repo.git

In setting the remote url in the CloneCommand(), I have used the complete url:

CloneCommand cloneCmd = git.cloneRepository();
cloneCmd.setURI("git@xxxxxxxxxxxx:test.org/test_repo.git")

Other than this, I haven't set it in any other place. But in going through the API docs, I though I can set it inside the overridden configure() method in the JscConfigSessionFactory subclass:

    @Override
    protected void configure(OpenSshConfig.Host host, Session session) {

        java.util.Properties config = new java.util.Properties();
        config.put("StrictHostKeyChecking", "yes");
        config.put("User", "git");
        config.put("IdentityFile", "~/.ssh/id_rsa");
        config.put("HostName", "git.test.com:test.org/test_repo.git ");
        session.setConfig(config);
    }

Basically these settings appear in the ~/.ssh/config file.

Is there any other way to do this? Since I set the key here as well, there is no need to use a custom HostKeyRepository subclass to allow all keys in my opinion.

On Tue, Dec 4, 2012 at 6:08 PM, Duft Markus <Markus.Duft@xxxxxxxxxx> wrote:

Sure you need usernames. The key is registered on the serverside for a specific user, so the user you try to connect to must be that user. If the local and the remote user match than that’s not a problem as it will automatically use the local username, but if they don’t you /have/ to specify the user in the URI.

 

Markus

 

Von: Isuru Haththotuwa [mailto:isurulucky@xxxxxxxxx]
Gesendet: Dienstag, 4. Dezember 2012 13:24

An: Duft Markus
Cc: Tomasz Zarna; JGit Developers list
Betreff: Re: [jgit-dev] JGit Doesn't check StrictHostKeyChecking Parameter Value in the .ssh Folder?

 

The private key does not have a pass phrase. The other side has the correct public key. I have done the cloning of the repository using the command line git, with the keys. Cloning happens with no issues. So I think we can safely come to the conclusion that the public key that the server has got is the correct one. We do not need usernames when we are using public key authentication as I know?

On Tue, Dec 4, 2012 at 5:42 PM, Duft Markus <Markus.Duft@xxxxxxxxxx> wrote:

I don’t think this is a host key problem anymore. It sounds more like the server rejects the key/passphrase. Does the key have a phrase? If yes, how do you pass it to jsch? If no – does the other side know the correct public key?

 

We typically get this kinds of problems when:

1)      The username is wrong

2)      The keys do not match at all (wrong private key chosen, wrong public key on server, …) – I usually test this with command line ssh

3)      The private key requires a passphrase but none is given due to headless-ness (no UI that asks, and nothing set to get the phrase otherwise)

 

HTH,

Markus

 

Von: Isuru Haththotuwa [mailto:isurulucky@xxxxxxxxx]
Gesendet: Dienstag, 4. Dezember 2012 13:04
An: Duft Markus
Cc: Tomasz Zarna; JGit Developers list

Betreff: Re: [jgit-dev] JGit Doesn't check StrictHostKeyChecking Parameter Value in the .ssh Folder?

 

Hi,

Thanks for the sugession, tried it out. But I still get the 'Auth fail' error:

org.eclipse.jgit.api.errors.TransportException: git@xxxxxxxxxxxx:test.org/test_repo.git: Auth fail
    at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:137)
    at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:178)
    at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:125)
    at GitTest.cloneRepo(GitTest.java:109)
    at GitTest.main(GitTest.java:223)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: org.eclipse.jgit.errors.TransportException: git@xxxxxxxxxxxx:test.org/test_repo.git: Auth fail
    at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:142)
    at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:121)
    at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:248)
    at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:147)
    at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:136)
    at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:122)
    at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1104)
    at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:128)
    ... 9 more
Caused by: com.jcraft.jsch.JSchException: Auth fail
    at com.jcraft.jsch.Session.connect(Session.java:491)
    at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:116)
    ... 16 more

So I guess I will have to get hold of the JSch code and debug through it :| If anyone here has the slightest idea about this, do please let me know so that I can try it out.

On Tue, Dec 4, 2012 at 1:10 PM, Duft Markus <Markus.Duft@xxxxxxxxxx> wrote:

Hi

 

The approach I use at our company for house-internal servers is (for Eclipse) an additional plugin, which overrides the JGit SshSessionFactory and replaces it with one that disables host key verification. This method is called from my plugins Activator:

 

public void disableHostVerification() {

        // force loading of the egit plugin, to activate egits ssh transport provider.

        BundleContext context = Activator.getContext();

        for (Bundle bundle : context.getBundles()) {

            if (bundle.getSymbolicName().equals("org.eclipse.egit.ui")) {

                try {

                    bundle.start(Bundle.START_TRANSIENT);

                } catch (Exception ex) {

                    printLog("failed to disable host key verification; failed to start egit bundle.");

                    ex.printStackTrace(console.outErr);

                }

            }

        }

 

        SshSessionFactory.setInstance(new AnyHostSshSessionFactory());

    }

 

The force-loading of egit is only necessary if you have it ofc (egit also sets another factory, which I want to get rid of in this case), otherwise just set the factory. I’ll attach the two other relevant files. J

 

HTH,

Markus

 

Von: jgit-dev-bounces@xxxxxxxxxxx [mailto:jgit-dev-bounces@xxxxxxxxxxx] Im Auftrag von Isuru Haththotuwa
Gesendet: Montag, 3. Dezember 2012 14:51
An: Tomasz Zarna
Cc: JGit Developers list
Betreff: Re: [jgit-dev] JGit Doesn't check StrictHostKeyChecking Parameter Value in the .ssh Folder?

 

Hi all,

I think this issue can be solved if we can specify the key and known host file manually. In JSch, we can do it as follows:

JSch jsch = new JSch();

        try {
            jsch.addIdentity(".ssh/id_rsa");
            jsch.setKnownHosts(".ssh/known_hosts");
        } catch (JSchException e) {
            e.printStackTrace(); 
        }

But, how do I make JGit use this private key file and the known hosts file? Is there a way to set the jsch object? Apart from creating a new configuration for SshSessionFactory by subclassing JschConfigSessionFactory and overriding the configure(OpenSshConfig.Host host, Session session) method, I could not find a way to do this. What I did was:

public class CustomJschConfigSessionFactory extends JschConfigSessionFactory {
    @Override
    protected void configure(OpenSshConfig.Host host, Session session) {
        session.setConfig("StrictHostKeyChecking", "yes");
    }
}

In the client class which accesses the Git repo:

jschConfigSessionFactory = new CustomJschConfigSessionFactory();

JSch jsch = new JSch();

        try {
            jsch.addIdentity(".ssh/id_rsa");
            jsch.setKnownHosts(".ssh/known_hosts");
        } catch (JSchException e) {
            e.printStackTrace(); 
        }

SshSessionFactory.setInstance(jschConfigSessionFactory);

Think this is the approach, but still there is a missing bit somewhere. I get a new exception as well now, saying 'reject HostKey'.

Any help is greatly appreciated!

On Mon, Dec 3, 2012 at 3:36 PM, Isuru Haththotuwa <isurulucky@xxxxxxxxx> wrote:

Yes, I was using 0.1.42. However, I tried with 0.1.49 now and still get the same error.

 

On Mon, Dec 3, 2012 at 3:24 PM, Tomasz Zarna <tzarna@xxxxxxxxx> wrote:

What version of JSch are you using? From the stack trace it doesn't
look like the latest 0.1.49.

Cheers

On Mon, Dec 3, 2012 at 10:16 AM, Isuru Haththotuwa <isurulucky@xxxxxxxxx> wrote:
> com.jcraft.jsch.Session.

--
Thanks and Regards,
Isuru

--
Thanks and Regards,
Isuru

         
--  
Salomon Automation GmbH - Friesachstrasse 15 - A-8114 Friesach bei Graz
Sitz der Gesellschaft: Friesach bei Graz
UID-NR:ATU28654300 - Firmenbuchnummer: 49324 K
Firmenbuchgericht: Landesgericht für Zivilrechtssachen Graz

--
Thanks and Regards,
Isuru

--
Thanks and Regards,
Isuru

--
Thanks and Regards,
Isuru

_______________________________________________
jgit-dev mailing list
jgit-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jgit-dev

-- 
Thanks and Regards,
Isuru