18

我对 sshj 有一个奇怪的问题(我正在使用 sshj v0.6.0),我需要一些人的帮助。使用公钥进行身份验证在某些机器上工作正常,但在其他机器上不能正常工作,我看到以下错误。

我能弄清楚的唯一区别是,有问题的 UNIX ID 即 coonradt 似乎在 ~/.ssh/config 下仅在触发以下错误的框上具有以下列出的配置设置

Host *
    Protocol 1,2
    FallBackToRsh no
    ForwardAgent yes
    ForwardX11 yes
    PasswordAuthentication yes
    RhostsAuthentication no
    RhostsRSAAuthentication no
    RSAAuthentication yes
    NoHostAuthenticationForLocalhost yes
    StrictHostKeyChecking no
  KeepAlive yes

从上面的配置文件中,我了解到有问题的 ID 应该使用协议 1,2,我怀疑这可能与我的失败有关(我不太确定,但这只是一种预感)

对于可以正常工作的所有其他 UNIX ID,我没有任何这样的配置文件。

PS:我无法更改 UNIX ID“coonradt”的配置,因为中央 hudson 服务器正在使用此 ID。

如果有人可以帮我建议这里可能有什么问题,将不胜感激

以下是我看到的错误:

Oct 24, 2011 2:30:37 AM net.schmizz.sshj.DefaultConfig initCipherFactories
WARNING: Disabling high-strength ciphers: cipher strengths apparently limited by JCE policy
Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.TransportImpl init
INFO: Client identity string: SSH-2.0-SSHJ_0_6_0
Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.TransportImpl init
INFO: Server identity string: SSH-1.99-OpenSSH_4.3
Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.KeyExchanger sendKexInit
INFO: Sending SSH_MSG_KEXINIT
Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.KeyExchanger handle
INFO: Received SSH_MSG_KEXINIT
Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.kex.AbstractDHG init
INFO: Sending SSH_MSG_KEXDH_INIT
Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.KeyExchanger handle
INFO: Received kex followup data
Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.kex.AbstractDHG next
INFO: Received SSH_MSG_KEXDH_REPLY
Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.TransportImpl die
SEVERE: Dying because - net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ssh-rsa` host key with fingerprint `ca:0b:b3:7f:53:5a:e3:bc:bf:44:63:d8:2d:26:c0:41` for `mymachine.domain.com` on port 22
Oct 24, 2011 2:30:38 AM net.schmizz.concurrent.Promise tryRetrieve
SEVERE: <<kex done>> woke to: net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ssh-rsa` host key with fingerprint `ca:0b:b3:7f:53:5a:e3:bc:bf:44:63:d8:2d:26:c0:41` for `mymachine.domain.com` on port 22
Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.TransportImpl setService
INFO: Setting active service to null-service
Oct 24, 2011 2:30:38 AM com.test.jaws.execution.ssh.impl.SSHJClientImpl$ExceptionHandler handleSevereCondition
SEVERE: mymachine.domain.com is not added to your /x/home/coonradt/.ssh/known_hosts file. 
Throwable occurred: net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ssh-rsa` host key with fingerprint `ca:0b:b3:7f:53:5a:e3:bc:bf:44:63:d8:2d:26:c0:41` for `mymachine.domain.com` on port 22
    at net.schmizz.sshj.transport.KeyExchanger.verifyHost(KeyExchanger.java:222)
    at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:373)
    at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:477)
    at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:127)
    at net.schmizz.sshj.transport.Decoder.received(Decoder.java:195)
    at net.schmizz.sshj.transport.Reader.run(Reader.java:72)
4

5 回答 5

28

您可以将 SSH 客户端设置为接受所有密钥而不进行任何验证(忽略主机密钥验证)

SSHClient sshClient = new SSHClient();
sshClient.addHostKeyVerifier(new PromiscuousVerifier());
...
于 2017-12-19T05:28:28.907 回答
19

为这台机器添加一个 HostKeyVerifier 怎么样?

sshClient.addHostKeyVerifier("ca:0b:b3:7f:53:5a:e3:bc:bf:44:63:d8:2d:26:c0:41");

它没有自动发生的原因可能是因为 known_hosts 文件不在 $(user.home)/.ssh/known_hosts 中。您还可以从特定位置显式加载已知主机。

sshClient.loadKnownHosts(new File("path_to_known_hosts"));
于 2011-10-24T19:06:25.900 回答
9 
try {
    ssh.connect(envConf.getIp(), port);
} catch (TransportException e) {
    if (e.getDisconnectReason() == DisconnectReason.HOST_KEY_NOT_VERIFIABLE) {
        String msg = e.getMessage();
        String[] split = msg.split("`");
        String vc = split[3];
        ssh = new SSHClient();
        ssh.addHostKeyVerifier(vc);
        ssh.connect(envConf.getIp(), port);
    } else {
        throw e;
    }
}
ssh.authPassword(envConf.getName(), envConf.getPw());
ssh.newSCPFileTransfer().download(envConf.getHomePath() + FilePath, toPath);
于 2016-03-20T13:57:09.060 回答
0

For an alternative answer ensure that the hostname you are trying to connect to is exactly a match in your known_hosts file. An example mistake that I was making was trying to connect to the full URL bob.insidenetwork.pvt but my known_hosts file had only bob as an entry because when I ssh manually I'm far too lazy to type the entire URL...

于 2014-03-24T22:20:24.307 回答
0

如果服务器接受键盘交互验证,您也可以这样做,至少对于最新版本的 SSHJ:

client.addHostKeyVerifier(new ConsoleKnownHostsVerifier(new File(userKnownHostsFile), System.console()) {
    @Override
    protected boolean hostKeyUnverifiableAction(String hostname, PublicKey key) {
        try {
            entries().add(new HostEntry(null, hostname, KeyType.fromKey(key), key));
            write();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
        return true;
    }
});

这会覆盖"Are you sure you want to continue connecting (yes/no)? "用户应该回复的提示,因此您无需向控制台提供任何输入即可继续,同时在主机未知时满足键盘交互式身份验证并避免使用PromiscuousVerifier.

当然,您可以根据自己的喜好调整覆盖方法以添加日志记录,如果您想收到提示,则只需使用普通的ConsoleKnownHostsVerifier.

如果服务器不接受键盘交互身份验证并且您仍然不想使用混杂验证器,那么您可以对OpenSSHKnownHosts类执行与上述类似的操作;例如:

HostKeyVerifier hkv = new OpenSSHKnownHosts(new File("~/.ssh/known_hosts") {
    @Override
    protected boolean hostKeyUnverifiableAction(String hostname, PublicKey key) {
        return true;
    }
};
client.addHostKeyVerifier(hkv);

在里面OpenSSHKnownHostshostKeyUnverifiableAction(...)方法所做的只是返回 false,所以改变它,你就很好了。

于 2021-12-10T14:19:16.350 回答