SFTP Connection Failed for Public Key file

Question

Hi,

I am unable to connect Using SFTP from AIX server to AIX server getting the following exception.

====== UseSFTPWithServerValidationPublicKeyFile remote-host username password publickeyfile sourcefilepath destfilepath key(DSA or RSA)=======
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.389 : Deleted local copy : false
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.392 : Creating SFTP client
INFO [puretls] 9 Dec 2008 14:33:32.802 : PureTLS debug level=0
INFO [LicensePropertiesBase] 9 Dec 2008 14:33:32.927 : Licence expiry date: 31 Dec 9999
INFO [LicensePropertiesBase] 9 Dec 2008 14:33:32.927 : Production licence
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.961 : Setting user-name and password
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.970 : Loading server public-key from /home/edt/.ssh/id_rsa.pub
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 9 Dec 2008 14:33:32.995 : Connecting to server 123.cs.edt.com
INFO [SCPClient] 9 Dec 2008 14:33:32.995 : SCPClient settings validated.
INFO [TransportProtocolCommon] 9 Dec 2008 14:33:33.082 : Timeout=60000
INFO [TransportProtocolCommon] 9 Dec 2008 14:33:33.085 : Wait for state update timeout=60000
INFO [cryptix] 9 Dec 2008 14:33:33.112 : GLOBAL_TRACE=false
INFO [cryptix] 9 Dec 2008 14:33:33.112 : GLOBAL_DEBUG=false
INFO [cryptix] 9 Dec 2008 14:33:33.112 : GLOBAL_DEBUG_SLOW=false
INFO [TransportProtocolCommon] 9 Dec 2008 14:33:33.116 : Wait for state update timeout=60000
INFO [DhGroup1Sha1] 9 Dec 2008 14:33:33.118 : Starting client side key exchange.
WARN [SSHFTPValidator] 9 Dec 2008 14:33:33.214 : Host-key mismatch: allowed host-key, '2048: 3c 8c fc 93 61 74 da 6e c7 f1 93 ac 4 21 63 6c', does not match actual host-key, '1024: 23 b6 9 99 3b 48 71 f5 f a3 ee 4b 81 d5 b8 b9'.
ERROR [TransportProtocolOutputStream] 9 Dec 2008 14:33:33.216 : sendMessage() failed: Socket closed (state=5)
ERROR [TransportProtocolOutputStream] 9 Dec 2008 14:33:33.217 : sendMessage() failed: Socket closed (state=5)
com.enterprisedt.net.j2ssh.transport.kex.KeyExchangeException: The host signature is invalid or the host key was not accepted!
at com.enterprisedt.net.j2ssh.transport.TransportProtocolClient.performKeyExchange(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.beginKeyExchange(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.A(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.startBinaryPacketProtocol(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.run(Unknown Source)
at java.lang.Thread.run(Thread.java:810)
====== Successfully executed UseSFTPWithServerValidationPublicKeyFile =======

Answer 1

Here's your error:

"Host-key mismatch: allowed host-key xxx does not match actual host-key yyy"

So the public key you have supplied is not the public key of the SFTP server.

Answer 2

Hi,

Thanks for the reply. now RSA encryption is working fine for Public Key Authentication. To the same I want to test with DSA and I have generated the DSA Key Pair and copied to the destination authorizedkey file. Now I am getting the following exception for DSA.

====== UseSFTPWithServerValidationPublicKeyFile remote-host username password publickeyfile sourcefilepath destfilepath key(DSA or RSA)=======
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.354 : Deleted local copy : true
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.357 : Creating SFTP client
INFO [puretls] 10 Dec 2008 15:44:25.803 : PureTLS debug level=0
INFO [LicensePropertiesBase] 10 Dec 2008 15:44:25.928 : Licence expiry date: 31 Dec 9999
INFO [LicensePropertiesBase] 10 Dec 2008 15:44:25.929 : Production licence
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.962 : Setting user-name and password
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.970 : Loading server public-key from /home/cwadmin/.ssh/id_dsa.pub
INFO [com.edt.siai.services.sftp.test.UseSFTPWithServerValidationKeyFile] 10 Dec 2008 15:44:25.997 : Connecting to server 123.cs.edt.com
INFO [SCPClient] 10 Dec 2008 15:44:25.997 : SCPClient settings validated.
INFO [TransportProtocolCommon] 10 Dec 2008 15:44:26.078 : Timeout=60000
INFO [TransportProtocolCommon] 10 Dec 2008 15:44:26.081 : Wait for state update timeout=60000
INFO [cryptix] 10 Dec 2008 15:44:26.107 : GLOBAL_TRACE=false
INFO [cryptix] 10 Dec 2008 15:44:26.107 : GLOBAL_DEBUG=false
INFO [cryptix] 10 Dec 2008 15:44:26.107 : GLOBAL_DEBUG_SLOW=false
INFO [DhGroup1Sha1] 10 Dec 2008 15:44:26.112 : Starting client side key exchange.
INFO [TransportProtocolCommon] 10 Dec 2008 15:44:26.114 : Wait for state update timeout=60000
WARN [SSHFTPValidator] 10 Dec 2008 15:44:26.198 : Host-key mismatch: allowed host-key, '1024: 4 f4 ae 6e fd fa b6 5a bb 64 8 9f 75 bc c6 30', does not match actual host-key, '1024: f2 32 d5 2 2c 4f fd f5 27 e4 51 80 fc f5 9a 6d'.
ERROR [TransportProtocolOutputStream] 10 Dec 2008 15:44:26.199 : sendMessage() failed: Socket closed (state=5)
ERROR [TransportProtocolOutputStream] 10 Dec 2008 15:44:26.200 : sendMessage() failed: Socket closed (state=5)
com.enterprisedt.net.j2ssh.transport.kex.KeyExchangeException: The host signature is invalid or the host key was not accepted!
at com.enterprisedt.net.j2ssh.transport.TransportProtocolClient.performKeyExchange(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.beginKeyExchange(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.A(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.startBinaryPacketProtocol(Unknown Source)
at com.enterprisedt.net.j2ssh.transport.TransportProtocolCommon.run(Unknown Source)
at java.lang.Thread.run(Thread.java:810)
====== Successfully executed UseSFTPWithServerValidationPublicKeyFile =======

Answer 3

Are you supplying /home/cwadmin/.ssh/id_dsa.pub as the server public key in the client?

Answer 4

Yes. Its Server Pulblic Key file path I am using in client

Answer 5

And are you certain the server is using this public key?

Answer 6

First I have generated the RSA public Key and added to server authorized key file and it works fine then I have generated the DSA public key and added to the server authorized key file and it is not working and throwing the above exception. If I get the public key using sshftp.getHostPublicKey(hostname) and writing to the file locally and reading the key from the local file its working fine whether it is DSA or RSA. Can you tell where I am doing wrong?
If require I will send my Test java file.

Answer 7

Yes please email your test Java code to support at enterprisedt dot com

Answer 8

The below one is not working for DSA

public class UseSFTPWithServerValidationKeyFile
{

/**
* Put a file, get it back as a copy and delete the local copy and the
* remote copy
*
* @param name original filename
* @param ftp reference to FTP client
*/
private static void putGetDelete(String srcFileName, String destFileName, FTPClientInterface ftp)
throws Exception
{
ftp.put(srcFileName, destFileName);
ftp.get(srcFileName + ".copy", destFileName);
//ftp.delete(destFileName);

}

public static void main(String[] args)
{
testServerPublicKeyFile(args);
}

public static void testServerPublicKeyFile(String[] args)
{

// we want remote host, user name and password
if (args.length < 6)
{
System.out.println("Usage: run remote-host username password publickeyfile sourcefile destfile key(DSA or RSA)");
System.out.println("publickeyfile = file containing the public key of the server in OpenSSH or SECSH format");
System.exit(1);
}

// extract command-line arguments
String host = args[0];
String username = args[1];
String password = args[2];
String keyfile = args[3];
String srcFileName = args[4];
String destFileName = args[5];
String key = args[6];

// set up logger so that we get some output
Logger log = Logger.getLogger(UseSFTPWithServerValidationKeyFile.class);
Logger.setLevel(Level.INFO);

try
{
// deleting local file if exists
File file = new File(srcFileName + ".copy");
log.info(" Deleted local copy : " + file.delete());

// create client
log.info("Creating SFTP client");
SSHFTPClient ftp = new SSHFTPClient();

// set remote host
ftp.setRemoteHost(host);

// now if your keyfile is a DSA public key, then you
// should disable all keypairs, and then enable DSA. This
// forces the server to send its DSA public key - if it sent
// an RSA public key and your keyfile is DSA, server validation
// will fail
if ("RSA".equalsIgnoreCase(key))
{
ftp.disableAllAlgorithms(SSHFTPAlgorithm.KEY_PAIR);
ftp.setAlgorithmEnabled(SSHFTPAlgorithm.KEY_RSA, true);
}
else if ("DSA".equalsIgnoreCase(key))
{
ftp.disableAllAlgorithms(SSHFTPAlgorithm.KEY_PAIR);
ftp.setAlgorithmEnabled(SSHFTPAlgorithm.KEY_DSA, true);
}

log.info("Setting user-name and password");
ftp.setAuthentication(username, password);

log.info("Loading server public-key from " + keyfile);
ftp.getValidator().addKnownHost(host, keyfile);

// connect to the server
log.info("Connecting to server " + host);
ftp.connect();

log.info("Setting transfer mode to ASCII");
ftp.setType(FTPTransferType.ASCII);

putGetDelete(srcFileName, destFileName, ftp);
log.info("Successfully transferred in ASCII mode");

// Shut down client
log.info("Quitting client");
ftp.quit();

log.info("Example complete");

}
catch (Exception e)
{
e.printStackTrace();
}
}
}
=================================================

The below one is working for both DSA or RSA

public class UseSFTPServerAutoValidationPublicKey
{
public static void main(String[] args)
{
testServerPublicKeyFile(args);
}

public static void testServerPublicKeyFile(String[] args)
{
// we want remote host, user name and password
if (args.length < 6)
{
System.out.println("Usage: run remote-host username password publickeyfile sourcefile destfile key(DSA or RSA)");
System.out.println("publickeyfile = file containing the public key of the server in OpenSSH or SECSH format");
System.exit(1);
}

// extract command-line arguments
String host = args[0];
String username = args[1];
String password = args[2];
String keyfile = args[3];
String srcFileName = args[4];
String destFileName = args[5];
String key = args[6];

// set up logger so that we get some output
Logger log = Logger.getLogger(UseSFTPWithServerValidationKeyFile.class);
Logger.setLevel(Level.INFO);

try
{
// deleting local file if exists
File file = new File(srcFileName + ".copy");
log.info(" Deleted local copy : " + file.delete());

// create client
log.info("Creating SFTP client");
SSHFTPClient ftp = new SSHFTPClient();

// set remote host
ftp.setRemoteHost(host);

// now if your keyfile is a DSA public key, then you
// should disable all keypairs, and then enable DSA. This
// forces the server to send its DSA public key - if it sent
// an RSA public key and your keyfile is DSA, server validation
// will fail
if ("RSA".equalsIgnoreCase(key))
{
ftp.disableAllAlgorithms(SSHFTPAlgorithm.KEY_PAIR);
ftp.setAlgorithmEnabled(SSHFTPAlgorithm.KEY_RSA, true);
}
else if ("DSA".equalsIgnoreCase(key))
{
ftp.disableAllAlgorithms(SSHFTPAlgorithm.KEY_PAIR);
ftp.setAlgorithmEnabled(SSHFTPAlgorithm.KEY_DSA, true);
}

log.info("Setting user-name and password");
ftp.setAuthentication(username, password);

File f = new File(keyfile);
FileOutputStream fout = new FileOutputStream(f);

log.info("\n ------------- Open SSH Format " + SSHFTPPublicKey.OPENSSH_FORMAT);

SSHFTPClient.getHostPublicKey(host).write(fout, SSHFTPPublicKey.OPENSSH_FORMAT);

log.info(" Before Closing the Output Stream " + keyfile);

fout.close();

log.info("Loading server public-key from " + keyfile);
ftp.getValidator().addKnownHost(host, new FileInputStream(f));

// connect to the server
log.info("Connecti

Answer 9

It still isn't obvious what the error is. Two things to try:

1) Please set the log level to ALL:

Logger.setLevel(Level.ALL);

and EMAIL the log files to us (please don't post them, they will be too large for the forums).

2) Please also email the DSA public key id_dsa.pub, and the DSA public key obtained from SSHFTPClient.getHostPublicKey(host)

These should be identical - they obviously aren't so the server isn't sending back the key you think it is.

Answer 10

Can you send me ur email id?