SSHFTPClient: host public key

Question

SSHFTPClient: host public key

asked Oct 17, 2006 in Java FTP by anonymous

Hi All,

I am using SSHFTPClient and am going to switch the server validation to on. But I don't like to extend the application by public key files or known-hosts file.
What I want is to use a host public key dynamically. This extract can explain:

SSHFTPPublicKey publicKey = SSHFTPClient.getHostPublicKey(getHost());
            
ftp = new SSHFTPClient();
if (publicKey != null) {
    ByteArrayOutputStream outStream = new ByteArrayOutputStream();
    publicKey.write(outStream, SSHFTPPublicKey.OPENSSH_FORMAT);
    outStream.close();
    ByteArrayInputStream inStream = new ByteArrayInputStream(outStream.toByteArray()); 

    ftp.getValidator().setHostValidationEnabled(true);
    ftp.getValidator().addKnownHost(getHost(), inStream);
    inStream.close();
}
else {
    ftp.getValidator().setHostValidationEnabled(false);
}
ftp.setType(FTPTransferType.ASCII);
// set remote host
ftp.setRemoteHost(getHost());
ftp.setAuthentication(getLogin(), getPassword());

The question is if it is worth doing? I am asking because have no experiance with security. May be the SSHFTPClient is doing something the same in spite of setHostValidationEnabled(false)?

Thank you

3 Answers

support2 · Answer 1 · 2006-10-17T19:28:14+0000

The problem with doing this dynamically is that you are bypassing the security mechanism. Normally, if doing this dynamically you would display the key to the user and let them decide whether or not to accept it. By doing this silently, you are accepting any host's public key.

setHostValidationEnabled(false) doesn't do this - it simply bypasses the host key checking mechanism altogether (which is why it is only recommended for testing).

In a production system you really would be better off using a known_hosts file or a public key file.

If you really do want to do this, it is at least better to do it how you are doing it (rather than calling setHostValidationEnabled(false)), and in the process preserving the public keys that you have accepted. Then you have a record of what public keys were accepted.

anonymous · Answer 2 · 2006-10-18T17:21:24+0000

Hi,

Unfortunately I got an exception while the code was runing:

Exception:com.enterprisedt.net.j2ssh
.transport.InvalidHostFileException, Host file is not writeable.
at com.enterprisedt.net.j2ssh.transport.AbstractKnownHostsKeyVerificatio
n.saveHostFile(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.AbstractKnownHostsKeyVerificatio
n.allowHost(Unknown Source)
at com.enterprisedt.net.ftp.ssh.SSHFTPValidator.addKnownHost(Unknown Source)
.....

It seems the reason is using of ftp.getValidator().addKnownHost(getHost(), inStream).
BTW when I switched to use addKnownHost(getHost(), fileName) where fileName contains a public key it works properly.

Thank you.

support2 · Answer 3 · 2006-10-19T20:36:03+0000

Sorry for the delay, we are having problems with our web hosting.

This is a bug. If you want to try out a fix, please email support at enterprisedt dot com and we'll send you the patched jar file.

SSHFTPClient: host public key

Please log in or register to add a comment.

Please log in or register to answer this question.

3 Answers

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Categories