在sshj中处理“无法validation带指纹的`ssh-rsa`主机密钥”
我有一个奇怪的问题sshj(我正在使用sshj v0.6.0),我需要一些人的帮助。 使用公钥进行身份validation在某些计算机上工作正常但在其他计算机上无法正常工作,我看到以下错误。
唯一不同的是,有问题的UNIX ID有问题,即coonradt似乎在〜/ .ssh / config下面的下面列出的配置设置仅在触发了以下错误的框上
Host * Protocol 1,2 FallBackToRsh no ForwardAgent yes ForwardX11 yes PasswordAuthentication yes RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes NoHostAuthenticationForLocalhost yes StrictHostKeyChecking no KeepAlive yes 从上面的配置文件中我了解到有问题的ID应该使用Protocol 1,2并且我怀疑这可能与我的失败有关(我不是很确定它,但这只是一个预感)
对于其工作正常的所有其他UNIX ID,我没有任何这样的配置文件。
PS:我无法更改UNIX ID“coonradt”的配置,因为中央哈德森服务器正在使用此ID。
如果有人可以帮助我建议这里可能有什么问题,我将不胜感激
以下是我看到的错误:
Oct 24, 2011 2:30:37 AM net.schmizz.sshj.DefaultConfig initCipherFactories WARNING: Disabling high-strength ciphers: cipher strengths apparently limited by JCE policy Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.TransportImpl init INFO: Client identity string: SSH-2.0-SSHJ_0_6_0 Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.TransportImpl init INFO: Server identity string: SSH-1.99-OpenSSH_4.3 Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.KeyExchanger sendKexInit INFO: Sending SSH_MSG_KEXINIT Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.KeyExchanger handle INFO: Received SSH_MSG_KEXINIT Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.kex.AbstractDHG init INFO: Sending SSH_MSG_KEXDH_INIT Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.KeyExchanger handle INFO: Received kex followup data Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.kex.AbstractDHG next INFO: Received SSH_MSG_KEXDH_REPLY Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.TransportImpl die SEVERE: Dying because - net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ssh-rsa` host key with fingerprint `ca:0b:b3:7f:53:5a:e3:bc:bf:44:63:d8:2d:26:c0:41` for `mymachine.domain.com` on port 22 Oct 24, 2011 2:30:38 AM net.schmizz.concurrent.Promise tryRetrieve SEVERE: <> woke to: net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ssh-rsa` host key with fingerprint `ca:0b:b3:7f:53:5a:e3:bc:bf:44:63:d8:2d:26:c0:41` for `mymachine.domain.com` on port 22 Oct 24, 2011 2:30:38 AM net.schmizz.sshj.transport.TransportImpl setService INFO: Setting active service to null-service Oct 24, 2011 2:30:38 AM com.test.jaws.execution.ssh.impl.SSHJClientImpl$ExceptionHandler handleSevereCondition SEVERE: mymachine.domain.com is not added to your /x/home/coonradt/.ssh/known_hosts file. Throwable occurred: net.schmizz.sshj.transport.TransportException: [HOST_KEY_NOT_VERIFIABLE] Could not verify `ssh-rsa` host key with fingerprint `ca:0b:b3:7f:53:5a:e3:bc:bf:44:63:d8:2d:26:c0:41` for `mymachine.domain.com` on port 22 at net.schmizz.sshj.transport.KeyExchanger.verifyHost(KeyExchanger.java:222) at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:373) at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:477) at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:127) at net.schmizz.sshj.transport.Decoder.received(Decoder.java:195) at net.schmizz.sshj.transport.Reader.run(Reader.java:72)
您可以将SSH客户端设置为接受所有密钥而无需任何validation(忽略主机密钥validation)
SSHClient sshClient = new SSHClient(); sshClient.addHostKeyVerifier(new PromiscuousVerifier()); ...
如何为这台机器添加HostKeyVerifier?
sshClient.addHostKeyVerifier("ca:0b:b3:7f:53:5a:e3:bc:bf:44:63:d8:2d:26:c0:41");
它不会自动发生的原因可能是因为known_hosts文件不在$(user.home)/。ssh / known_hosts。 您还可以从特定位置显式加载已知主机。
sshClient.loadKnownHosts(new File("path_to_known_hosts"));
try { ssh.connect(envConf.getIp(), port); } catch (TransportException e) { if (e.getDisconnectReason() == DisconnectReason.HOST_KEY_NOT_VERIFIABLE) { String msg = e.getMessage(); String[] split = msg.split("`"); String vc = split[3]; ssh = new SSHClient(); ssh.addHostKeyVerifier(vc); ssh.connect(envConf.getIp(), port); } else { throw e; } } ssh.authPassword(envConf.getName(), envConf.getPw()); ssh.newSCPFileTransfer().download(envConf.getHomePath() + FilePath, toPath);
有关替代答案,请确保您尝试连接的主机名与known_hosts文件中的主机名完全匹配。 我正在尝试连接到完整的URL bob.insidenetwork.pvt但我的known_hosts文件只有bob作为条目,因为当我手动ssh时,我太懒了,无法输入整个URL …