Solved SSH problem with JSCH and FreeBSD 12.1

[n9010]

Hello,
I'm facing a problem with a JAVA client trying to access a ssh/ sftp box with JSCH . Apparently this issue arouse when we upgrade from an older version of FreeBSD (10.1) to 12.1.
The error is

com.jcraft.jsch.JSchException: Auth fail

Only this JAVA library have this problem and trying to access other Linux machines with the same version of SSH() results in a success. Accessing the FreeBSD box from a command line or via FileZilla works like a charm. We tried to enable all the ciphers available and to use a RSA key instead of a password but the issue persisted. Is there a default compilation option of sshd() for FreeBSD that might cause this error? I don't know how to debug any further. Any help is appreciated.



ssh version: OpenSSH_7.8p1, OpenSSL 1.1.1d-freebsd 10 Sep 2019
JSCH version: SSH-2.0-JSCH-0.1.52

Here are some detailed logs:

auth.log

 sftp sshd[96746]: Connection from xx.xx.xx.xx port 35840 on yy.yy.yy.yy port 2225
sftp sshd[96746]: Failed unknown for USER from xx.xx.xx.xx port 35840 ssh2
sftp sshd[96746]: user USER login class  [preauth]
sftp sshd[96746]: error: Received disconnect from xx.xx.xx.xx port 35840:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
sftp sshd[96746]: Disconnected from authenticating user USER xx.xx.xx.xx port 35840 [preauth]

JAVA error stack

LEVEL 1 - Connecting to xx.xx.xx.xx port 2225
LEVEL 1 - Connection established
LEVEL 1 - Remote version string: SSH-2.0-OpenSSH_7.8 FreeBSD-20180909
LEVEL 1 - Local version string: SSH-2.0-JSCH-0.1.52
LEVEL 1 - CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
LEVEL 1 - CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
LEVEL 1 - CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
LEVEL 1 - SSH_MSG_KEXINIT sent
LEVEL 1 - SSH_MSG_KEXINIT received
LEVEL 1 - kex: server: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
LEVEL 1 - kex: server: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
LEVEL 1 - kex: server: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
LEVEL 1 - kex: server: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
LEVEL 1 - kex: server: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
LEVEL 1 - kex: server: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
LEVEL 1 - kex: server: none,zlib@openssh.com
LEVEL 1 - kex: server: none,zlib@openssh.com
LEVEL 1 - kex: server:
LEVEL 1 - kex: server:
LEVEL 1 - kex: client: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
LEVEL 1 - kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
LEVEL 1 - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
LEVEL 1 - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
LEVEL 1 - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
LEVEL 1 - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
LEVEL 1 - kex: client: none
LEVEL 1 - kex: client: none
LEVEL 1 - kex: client:
LEVEL 1 - kex: client:
LEVEL 1 - kex: server->client aes128-ctr hmac-md5 none
LEVEL 1 - kex: client->server aes128-ctr hmac-md5 none
LEVEL 1 - SSH_MSG_KEXDH_INIT sent
LEVEL 1 - expecting SSH_MSG_KEXDH_REPLY
LEVEL 1 - ssh_rsa_verify: signature true
LEVEL 2 - Permanently added 'xx.xx.xx.xx' (RSA) to the list of known hosts.
LEVEL 1 - SSH_MSG_NEWKEYS sent
LEVEL 1 - SSH_MSG_NEWKEYS received
LEVEL 1 - SSH_MSG_SERVICE_REQUEST sent
LEVEL 1 - SSH_MSG_SERVICE_ACCEPT received
LEVEL 1 - Disconnecting from xx.xx.xx.xx port 2225
com.jcraft.jsch.JSchException: Auth fail
                at com.jcraft.jsch.Session.connect(Session.java:512)
                at com.jcraft.jsch.Session.connect(Session.java:183)
                at testsftp.Main.setupJsch(Main.java:122)
                at testsftp.Main.main(Main.java:45)

sshd_config is pretty standard:

LogLevel DEBUG

#Tried to specify the ciphers, same error

#Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
#KexAlgorithms   curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-gro$
#MACs mac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hma$
#MACs hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
#HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-c$



# Authentication:
PermitRootLogin prohibit-password
MaxAuthTries 2
MaxSessions 10

AuthorizedKeysFile      .ssh/authorized_keys


AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

Subsystem       sftp    /usr/libexec/sftp-server
ForceCommand    internal-sftp -u 007


Match Group XXXXXXX
   ChrootDirectory /sftpusers/chrootUser/
   ForceCommand internal-sftp

Thanks

 

[Jose]

I just tried the UserAuthKI.java example that comes with the Jsch source and it works fine on my 12.1 system. I'm going to need more details of what you're trying to accomplish. Pubkey auth? File transfer?

 

[n9010]

Hello, we tried both with pubkey and via username/password. Same error.
The goal is to transfer files yes, is a webserver with a sftp jail. We tried also to connect to the Apache jail with a test user/password and got the same error.

The test machine that has the old FreeBSD version has no problem being accessed by this client.

 

[n9010]

Hello again, i just tried to connect to another server (different project, brand new machine), with FreeBSD 12.1 and a sftp jail, same error.
They are though, both machines upgraded from 11.x (latest OVH aviable installable OS) with freebsd-update (might be of any relevance?)

 

[genneko]

Hi.
I've heard that OpenSSH 7.8 or later generates keys in newer formats than older versions.
Not sure it matters but just for your information.

 

[n9010]

Found the problem.
The java client was using password method for authenticating, that is disabled by default. Most clients like FileZilla can fallback to keyboard-interactive but the java client was not.
Adding this line solved the issue.

PasswordAuthentication yes