Hi,

I am unable to connect Using SFTP from AIX server to AIX server getting the following exception.

====== UseSFTPWithServerValidationPublicKeyFile remote-host username password publickeyfile sourcefilepath destfilepath key(DSA or RSA)=======
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.389 : Deleted local copy : false
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.392 : Creating SFTP client
INFO [puretls] 9 Dec 2008 14:33:32.802 : PureTLS debug level=0
INFO [LicensePropertiesBase] 9 Dec 2008 14:33:32.927 : Licence expiry date: 31 Dec 9999
INFO [LicensePropertiesBase] 9 Dec 2008 14:33:32.927 : Production licence
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.961 : Setting user-name and password
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.970 : Loading server public-key from /home/edt/.ssh/id_rsa.pub
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.995 : Connecting to server 123.cs.edt.com
INFO [SCPClient] 9 Dec 2008 14:33:32.995 : SCPClient settings validated.
INFO [TransportProtocolCommon] 9 Dec 2008 14:33:33.082 : Timeout=60000
INFO [TransportProtocolCommon] 9 Dec 2008 14:33:33.085 : Wait for state update timeout=60000
INFO [cryptix] 9 Dec 2008 14:33:33.112 : GLOBAL_TRACE=false
INFO [cryptix] 9 Dec 2008 14:33:33.112 : GLOBAL_DEBUG=false
INFO [cryptix] 9 Dec 2008 14:33:33.112 : GLOBAL_DEBUG_SLOW=false
INFO [TransportProtocolCommon] 9 Dec 2008 14:33:33.116 : Wait for state update timeout=60000
INFO [DhGroup1Sha1] 9 Dec 2008 14:33:33.118 : Starting client side key exchange.
WARN [SSHFTPValidator] 9 Dec 2008 14:33:33.214 : Host-key mismatch: allowed host-key, '2048: 3c 8c fc 93 61 74 da 6e c7 f1 93 ac 4 21 63 6c', does not match actual host-key, '1024: 23 b6 9 99 3b 48 71 f5 f a3 ee 4b 81 d5 b8 b9'.
ERROR [TransportProtocolOutputStream] 9 Dec 2008 14:33:33.216 : sendMessage() failed: Socket closed (state=5)
ERROR [TransportProtocolOutputStream] 9 Dec 2008 14:33:33.217 : sendMessage() failed: Socket closed (state=5)
com.enterprisedt.net.j2ssh.transport.kex.KeyExchangeException: The host signature is invalid or the host key was not accepted!
at com.enterprisedt.net.j2ssh.transport.TransportProtocolClient.performKeyExchange(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.beginKeyExchange(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.A(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.startBinaryPacketProtocol(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.run(Unknown Source)
at java.lang.Thread.run(Thread.java:810)
====== Successfully executed UseSFTPWithServerValidationPublicKeyFile =======

[support2]

Here's your error:

"Host-key mismatch: allowed host-key xxx does not match actual host-key yyy"

So the public key you have supplied is not the public key of the SFTP server.

Hi,

Thanks for the reply. now RSA encryption is working fine for Public Key Authentication. To the same I want to test with DSA and I have generated the DSA Key Pair and copied to the destination authorizedkey file. Now I am getting the following exception for DSA.

====== UseSFTPWithServerValidationPublicKeyFile remote-host username password publickeyfile sourcefilepath destfilepath key(DSA or RSA)=======
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.354 : Deleted local copy : true
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.357 : Creating SFTP client
INFO [puretls] 10 Dec 2008 15:44:25.803 : PureTLS debug level=0
INFO [LicensePropertiesBase] 10 Dec 2008 15:44:25.928 : Licence expiry date: 31 Dec 9999
INFO [LicensePropertiesBase] 10 Dec 2008 15:44:25.929 : Production licence
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.962 : Setting user-name and password
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.970 : Loading server public-key from /home/cwadmin/.ssh/id_dsa.pub
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.997 : Connecting to server 123.cs.edt.com
INFO [SCPClient] 10 Dec 2008 15:44:25.997 : SCPClient settings validated.
INFO [TransportProtocolCommon] 10 Dec 2008 15:44:26.078 : Timeout=60000
INFO [TransportProtocolCommon] 10 Dec 2008 15:44:26.081 : Wait for state update timeout=60000
INFO [cryptix] 10 Dec 2008 15:44:26.107 : GLOBAL_TRACE=false
INFO [cryptix] 10 Dec 2008 15:44:26.107 : GLOBAL_DEBUG=false
INFO [cryptix] 10 Dec 2008 15:44:26.107 : GLOBAL_DEBUG_SLOW=false
INFO [DhGroup1Sha1] 10 Dec 2008 15:44:26.112 : Starting client side key exchange.
INFO [TransportProtocolCommon] 10 Dec 2008 15:44:26.114 : Wait for state update timeout=60000
WARN [SSHFTPValidator] 10 Dec 2008 15:44:26.198 : Host-key mismatch: allowed host-key, '1024: 4 f4 ae 6e fd fa b6 5a bb 64 8 9f 75 bc c6 30', does not match actual host-key, '1024: f2 32 d5 2 2c 4f fd f5 27 e4 51 80 fc f5 9a 6d'.
ERROR [TransportProtocolOutputStream] 10 Dec 2008 15:44:26.199 : sendMessage() failed: Socket closed (state=5)
ERROR [TransportProtocolOutputStream] 10 Dec 2008 15:44:26.200 : sendMessage() failed: Socket closed (state=5)
com.enterprisedt.net.j2ssh.transport.kex.KeyExchangeException: The host signature is invalid or the host key was not accepted!
at com.enterprisedt.net.j2ssh.transport.TransportProtocolClient.performKeyExchange(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.beginKeyExchange(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.A(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.startBinaryPacketProtocol(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.run(Unknown Source)
at java.lang.Thread.run(Thread.java:810)
====== Successfully executed UseSFTPWithServerValidationPublicKeyFile =======

[support2]

Are you supplying /home/cwadmin/.ssh/id_dsa.pub as the server public key in the client?

Yes. Its Server Pulblic Key file path I am using in client

[support2]

And are you certain the server is using this public key?

First I have generated the RSA public Key and added to server authorized key file and it works fine then I have generated the DSA public key and added to the server authorized key file and it is not working and throwing the above exception. If I get the public key using sshftp.getHostPublicKey(hostname) and writing to the file locally and reading the key from the local file its working fine whether it is DSA or RSA. Can you tell where I am doing wrong?
If require I will send my Test java file.

[support2]

Yes please email your test Java code to support at enterprisedt dot com

The below one is not working for DSA

public class UseSFTPWithServerValidationKeyFile
{

/**
* Put a file, get it back as a copy and delete the local copy and the
* remote copy
*
* @param name original filename
* @param ftp reference to FTP client
*/
private static void putGetDelete(String srcFileName, String destFileName, FTPClientInterface ftp)
throws Exception
{
ftp.put(srcFileName, destFileName);
ftp.get(srcFileName + ".copy", destFileName);
//ftp.delete(destFileName);

}

public static void main(String[] args)
{
testServerPublicKeyFile(args);
}

public static void testServerPublicKeyFile(String[] args)
{

// we want remote host, user name and password
if (args.length < 6)
{
System.out.println("Usage: run remote-host username password publickeyfile sourcefile destfile key(DSA or RSA)");
System.out.println("publickeyfile = file containing the public key of the server in OpenSSH or SECSH format");
System.exit(1);
}

// extract command-line arguments
String host = args[0];
String username = args[1];
String password = args[2];
String keyfile = args[3];
String srcFileName = args[4];
String destFileName = args[5];
String key = args[6];

// set up logger so that we get some output
Logger log = Logger.getLogger(UseSFTPWithServerValidationKeyFile.class);
Logger.setLevel(Level.INFO);

try
{
// deleting local file if exists
File file = new File(srcFileName + ".copy");
log.info(" Deleted local copy : " + file.delete());

// create client
log.info("Creating SFTP client");
SSHFTPClient ftp = new SSHFTPClient();

// set remote host
ftp.setRemoteHost(host);

// now if your keyfile is a DSA public key, then you
// should disable all keypairs, and then enable DSA. This
// forces the server to send its DSA public key - if it sent
// an RSA public key and your keyfile is DSA, server validation
// will fail
if ("RSA".equalsIgnoreCase(key))
{
ftp.disableAllAlgorithms(SSHFTPAlgorithm.KEY_PAIR);
ftp.setAlgorithmEnabled(SSHFTPAlgorithm.KEY_RSA, true);
}
else if ("DSA".equalsIgnoreCase(key))
{
ftp.disableAllAlgorithms(SSHFTPAlgorithm.KEY_PAIR);
ftp.setAlgorithmEnabled(SSHFTPAlgorithm.KEY_DSA, true);
}

log.info("Setting user-name and password");
ftp.setAuthentication(username, password);

log.info("Loading server public-key from " + keyfile);
ftp.getValidator().addKnownHost(host, keyfile);

// connect to the server
log.info("Connecting to server " + host);
ftp.connect();

log.info("Setting transfer mode to ASCII");
ftp.setType(FTPTransferType.ASCII);

putGetDelete(srcFileName, destFileName, ftp);
log.info("Successfully transferred in ASCII mode");

// Shut down client
log.info("Quitting client");
ftp.quit();

log.info("Example complete");

}
catch (Exception e)
{
e.printStackTrace();
}
}
}
=================================================

The below one is working for both DSA or RSA

public class UseSFTPServerAutoValidationPublicKey
{
public static void main(String[] args)
{
testServerPublicKeyFile(args);
}

public static void testServerPublicKeyFile(String[] args)
{
// we want remote host, user name and password
if (args.length < 6)
{
System.out.println("Usage: run remote-host username password publickeyfile sourcefile destfile key(DSA or RSA)");
System.out.println("publickeyfile = file containing the public key of the server in OpenSSH or SECSH format");
System.exit(1);
}

// extract command-line arguments
String host = args[0];
String username = args[1];
String password = args[2];
String keyfile = args[3];
String srcFileName = args[4];
String destFileName = args[5];
String key = args[6];

// set up logger so that we get some output
Logger log = Logger.getLogger(UseSFTPWithServerValidationKeyFile.class);
Logger.setLevel(Level.INFO);

try
{
// deleting local file if exists
File file = new File(srcFileName + ".copy");
log.info(" Deleted local copy : " + file.delete());

// create client
log.info("Creating SFTP client");
SSHFTPClient ftp = new SSHFTPClient();

// set remote host
ftp.setRemoteHost(host);

// now if your keyfile is a DSA public key, then you
// should disable all keypairs, and then enable DSA. This
// forces the server to send its DSA public key - if it sent
// an RSA public key and your keyfile is DSA, server validation
// will fail
if ("RSA".equalsIgnoreCase(key))
{
ftp.disableAllAlgorithms(SSHFTPAlgorithm.KEY_PAIR);
ftp.setAlgorithmEnabled(SSHFTPAlgorithm.KEY_RSA, true);
}
else if ("DSA".equalsIgnoreCase(key))
{
ftp.disableAllAlgorithms(SSHFTPAlgorithm.KEY_PAIR);
ftp.setAlgorithmEnabled(SSHFTPAlgorithm.KEY_DSA, true);
}

log.info("Setting user-name and password");
ftp.setAuthentication(username, password);

File f = new File(keyfile);
FileOutputStream fout = new FileOutputStream(f);

log.info("\n ------------- Open SSH Format " + SSHFTPPublicKey.OPENSSH_FORMAT);

SSHFTPClient.getHostPublicKey(host).write(fout, SSHFTPPublicKey.OPENSSH_FORMAT);

log.info(" Before Closing the Output Stream " + keyfile);

fout.close();

log.info("Loading server public-key from " + keyfile);
ftp.getValidator().addKnownHost(host, new FileInputStream(f));

// connect to the server
log.info("Connecting to server " + host);
ftp.connect();

log.info("Setting transfer mode to ASCII");
ftp.setType(FTPTransferType.ASCII);

putGetDelete(srcFileName, destFileName, ftp);
log.info("Successfully transferred in ASCII mode");

// Shut down client
log.info("Quitting client");
ftp.quit();

log.info("Example complete");

}
catch (Exception e)
{
e.printStackTrace();
}
}


/**
* Put a file, get it back as a copy and delete the local copy and the
* remote copy
*
* @param name original filename
* @param ftp reference to FTP client
*/
private static void putGetDelete(String srcFileName, String destFileName, FTPClientInterface ftp)
throws Exception
{
ftp.put(srcFileName, destFileName);
ftp.get(srcFileName + ".copy", destFileName);
//ftp.delete(destFileName);
}
}

[support2]

It still isn't obvious what the error is. Two things to try:

1) Please set the log level to ALL:

Logger.setLevel(Level.ALL);

and EMAIL the log files to us (please don't post them, they will be too large for the forums).

2) Please also email the DSA public key id_dsa.pub, and the DSA public key obtained from SSHFTPClient.getHostPublicKey(host)

These should be identical - they obviously aren't so the server isn't sending back the key you think it is.

Can you send me ur email id?

[support2]

The DSA public key being sent back is the one the server is using. When you validate using that it works. Therefore the server is not picking up the DSA public key that you are supplying to it.

Typically, sshd_config has something like this:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

For DSA, the server's private key goes in /etc/ssh/ssh_host_dsa_key and the public key in /etc/ssh/ssh_host_dsa_key.pub

So you need to ensure that you are placing the server's public & private DSA keys in the equivalent files listed above. Only one public or private key should be in each file.

Thanks for the reply. So I have to supply the /etc/ssh/ssh_host_dsa_key.pub file instead of /.ssh/id_dsa.pub of server to the program right.

The command line arguments for the above program is

remote-host username password publickeyfile sourcefile destfile key(DSA or RSA)

123.edt.com dummy 123 /.ssh/id_dsa.pub /home/test.txt home/temp/1_test.txt DSA (This is the one I have used)

123.edt.com dummy 123 /etc/ssh/ssh_host_dsa_key.pub /home/test.txt home/temp/1_test.txt DSA (Suggested by u).

let me know my understanding is correct or not.

[support2]

It depends on the HostKey setting in sshd_config on the server - it might be slightly different for your server.

But you must supply the server's DSA public key to the client (the server has two - a DSA key and an RSA key, location specified in sshd_config).

NOTE - unless you are running the client on the server machine you may not even have access to the server's public keys, i.e. /etc/ssh/ssh_host_dsa_key.pub is of course on the server machine.

/.ssh/id_dsa.pub is almost certainly NOT the server's public DSA key.

You'll know when you find the right one because it should be identical to the one you downloaded via SSHFTPClient.getHostPublicKey(host).

You are correct. I have verified the keys in /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key those are matching with the keys I have downloaded using SSHFTPClient.getHostPublicKey.

But in my servers sshd_config file /etc/ssh/ssh_host_rsa_key is commented.

#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

That means which one my server is using. One more thing SSHFTPValidator.addKnownHost(java.lang.String hostName, java.lang.String publicKeyFile) will take server file path for public key file or local file path(written to the local directory using SSHFTPClient.getHostPublicKey).