topic Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password in Talend Studio

tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

E7M-A — Fri, 15 Nov 2024 22:27:31 GMT

Hi Team,

I'm trying to establish SFTP connection using tFTPConnection component and I'm using auth type is Public Key but getting error "Auth fail for methods 'publickey,gssapi-with-mic,password", but with the same host,port..... I'm able login in WinSCP and FilleZilla, so problem with component !

I run the job with debug and i get alos same informations :

tFTPConnection_1 - Start to work.

tFTPConnection_1 - Parameters:HOST = context.host_FTP | PORT = context.port_FTP | USER = context.user_FTP | SFTP = true | AUTH_METHOD = PUBLICKEY | PRIVATEKEY = context.Keyprivate_FTP | PASSPHRASE = enc:... | USE_ENCODING = false | USE_PROXY = false | CONNECTION_TIMEOUT = 0 | USE_STRICT_REPLY_PARSING = true | CONFIG_CLIENT = true | CLIENT_PARAMETERS = [{VALUE="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256", PARAMETER="kex"}, {VALUE="ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256", PARAMETER="server_host_key"}, {VALUE="aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com", PARAMETER="cipher.s2c"}, {VALUE="aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com", PARAMETER="cipher.c2s"}, {VALUE="hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512", PARAMETER="mac.s2c"}, {VALUE="hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512", PARAMETER="mac.c2s"}] |

tFTPConnection_1 - SFTP authentication using a public key.

tFTPConnection_1 - Private key: 'C:/Users/XXXX/.ssh/login_cleprive.ppk'.

tFTPConnection_1 - Attempt to connect to 'xxx.xxx.xxx.x' with username 'login'.

Connecting to xxx.xxx.xxx.x port xxxx

Connection established

Remote version string: SSH-1.99-OpenSSH_3.9p1

Local version string: SSH-2.0-JSCH_0.2.1

CheckCiphers: chacha20-poly1305@openssh.com

CheckKexes: curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512

CheckSignatures: ssh-ed25519,ssh-ed448

ssh-ed25519 is not available.

ssh-ed448 is not available.

server_host_key proposal before removing unavailable algos is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

server_host_key proposal after removing unavailable algos is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

server_host_key proposal before known_host reordering is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

server_host_key proposal after known_host reordering is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

SSH_MSG_KEXINIT sent

SSH_MSG_KEXINIT received

kex: server: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

kex: server: ssh-rsa,ssh-dss

kex: server: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

kex: server: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

kex: server: none,zlib

kex: server:

kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c

kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com

kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512

kex: client: none

kex: client:

kex: algorithm: diffie-hellman-group14-sha1

kex: host key algorithm: ssh-rsa

kex: server->client cipher: aes128-ctr MAC: hmac-md5 compression: none

kex: client->server cipher: aes128-ctr MAC: hmac-md5 compression: none

SSH_MSG_KEXDH_INIT sent

expecting SSH_MSG_KEXDH_REPLY

ssh_rsa_verify: ssh-rsa signature true

Permanently added 'xxx.xxx.xxx.x' (RSA) to the list of known hosts.

SSH_MSG_NEWKEYS sent

SSH_MSG_NEWKEYS received

SSH_MSG_SERVICE_REQUEST sent

SSH_MSG_SERVICE_ACCEPT received

Authentications that can continue: publickey,password,keyboard-interactive,gssapi-with-mic

Next authentication method: publickey

PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

Signature algorithms unavailable for non-agent identities = [ssh-ed25519, ssh-ed448]

No server-sig-algs found, using PubkeyAcceptedAlgorithms = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256]

rsa-sha2-512 preauth failure

rsa-sha2-256 preauth failure

Authentications that can continue: password,keyboard-interactive,gssapi-with-mic

Next authentication method: password

Authentications that can continue: gssapi-with-mic

Next authentication method: gssapi-with-mic

Disconnecting from xxx.xxx.xxx.x port xxxx

Could someone please have look into it. Please

Note : Even with tScpConnection i got the same problem, i'm using Talend v8.0.1 with the last version R2022-09, I also find this solution https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms?language=en_US but doesn't help me !!

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

Anonymous — Fri, 14 Oct 2022 15:53:50 GMT

Can you show us your component configuration and the standard System.out you get for the error please?

You *may* find this solution that I provided for an issue that doesn't initially look too dissimilar to this, useful. This was caused by a permutation of security options not being supported by the standard component.

https://community.talend.com/s/feed/0D73p000004uVGzCAM

It does require a bit of Java. But if you are OK with Java, it opens a lot of doors.

If you can give me a bit more detail regarding your component config and the standard error you get, I may be able to get this raised as a Jira.

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

Anonymous — Fri, 14 Oct 2022 16:36:43 GMT

Hello,

We've recently upgraded the FTP library, but that should out of the box support the newer security mechanisms.

Could you please check this github issue? They suggest there to expand the cipher.c2s / cipher.s2c parameters. https://github.com/mwiede/jsch/issues/47

Also there's an article about the config client changes that were applied during the upgrade to make it bacward compatible. https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms

Based on the logs it looks to me that this job used to exists in studio, as the config client already has extra values, which is populated during the patch application.

Keep in mind that if this is a regression you should raise it with Talend Support as these cases are treated as Critical bugs by R&D.

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

E7M-A — Tue, 18 Oct 2022 10:01:43 GMT

Hello,

Thanks @Richard Hall and @Balazs Gunics for your answers, the problem is caused by the update of the jsch library from 0.1.55 to 0.2.1, so in order to solve my problem I set up the following job:

with this setting :

I hope it's a good a solution !

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

Anonymous — Tue, 18 Oct 2022 12:06:20 GMT

Hello,

It gets the job done but I don't agree that it's a good solution.

You can easily override the versions for the whole project/branch: https://help.talend.com/r/en-US/8.0/studio-user-guide-data-fabric/overriding-external-modules-by-customizing-mvn-uri

And as I mentioned if this is a regression then it might affect a lot of customers. The sooner Support knows about it the sooner it can reproduced and if it's indeed a regression then it will be fixed.

Have you tried the later version of jsch? https://github.com/mwiede/jsch

That has different exception message which should clearly indicate what values you'd have to add for the Advanced Settings. By doing that changes your job should work without any over/underride in the library.

Using an old version of the library might cause issues in case there's a CVE which will be fixed by Talend but your tLibraryLoad will override that leaving your vulnerable.

So it's a good temporary solution to get things moving. If it's the depreacated ciphers then you can enable those ciphers, not a product issue, unless this used to work and after the upgrade it broke, because that's not expected and it needs to be fixed in the product.

Downgrade / enable old ciphers you do at your own risk because this means an attacker can crack the communication between the client and the server, gaining access to the content of the file itself. That's the reason it was removed by JSCH. It's a big security risk to use outdated ciphers. 20+ years ago it would take years to crack these. Nowadays it might only take a few thousand dollars as you can rent computing.

Regards,

Balázs

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

E7M-A — Tue, 18 Oct 2022 15:07:15 GMT

Hello,

@Balazs Gunics I want to trie this solution https://github.com/mwiede/jsch but I'm confused how should I adapt it in Talend, if you can give me a hand on what should I do the change?

Thanks

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

Anonymous — Tue, 18 Oct 2022 16:09:26 GMT

Hello,

In this article you can find the step by step guide: https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms?language=en_US

(Screenshot + the values above.)

My expectation is that the newer version of the library would give you the key_name + missing_value in the Exception. (Based on the logs I've seen from others.)

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

E7M-A — Wed, 19 Oct 2022 13:37:31 GMT

Hello,

So i tried this solution https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms?language=en_US but know i get a new issue :

Exception in component tFTPConnection_1 (TEST_SFTP)

com.jcraft.jsch.JSchException: Algorithm negotiation fail

at com.jcraft.jsch.Session.receive_kexinit(Session.java:604)

at com.jcraft.jsch.Session.connect(Session.java:334)

at com.jcraft.jsch.Session.connect(Session.java:194)

at bcb.test_sftp_0_1.TEST_SFTP.tFTPConnection_1Process(TEST_SFTP.java:1659)

at bcb.test_sftp_0_1.TEST_SFTP.runJobInTOS(TEST_SFTP.java:2805)

at bcb.test_sftp_0_1.TEST_SFTP.main(TEST_SFTP.java:2395)

[FATAL] 11:44:01 bcb.test_sftp_0_1.TEST_SFTP- tFTPConnection_1 Algorithm negotiation fail

com.jcraft.jsch.JSchException: Algorithm negotiation fail

at com.jcraft.jsch.Session.receive_kexinit(Session.java:604) ~[jsch-0.2.1.jar:0.2.1]

at com.jcraft.jsch.Session.connect(Session.java:334) ~[jsch-0.2.1.jar:0.2.1]

at com.jcraft.jsch.Session.connect(Session.java:194) ~[jsch-0.2.1.jar:0.2.1]

at bcb.test_sftp_0_1.TEST_SFTP.tFTPConnection_1Process(TEST_SFTP.java:1659) [classes/:?]

at bcb.test_sftp_0_1.TEST_SFTP.runJobInTOS(TEST_SFTP.java:2805) [classes/:?]

at bcb.test_sftp_0_1.TEST_SFTP.main(TEST_SFTP.java:2395) [classes/:?]

I think the version jsch-0.2.1.jar need to be updated ?

Best regards

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

Anonymous — Wed, 19 Oct 2022 14:02:47 GMT

Yes, well with 0.2.1 you can enable log4j debug logs and figure out the information from there. (that was the latest at the time)

With the newer version of the library the exception message itself will hold they key, missing value. (Which we'll plan to upgrade for soon.)

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

E7M-A — Wed, 19 Oct 2022 14:56:09 GMT

Ok thank you, I will wait for the next version of jar to see if this will solve my problem...

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

E7M-A — Thu, 12 Jan 2023 11:01:48 GMT

Hello,

Finally the support send me this solution, i hope it gonna help others !

Steup 1 :

Steup 2 :

Upload the jar jsch-0.2.4.jar than uploaded in the tLibraryLoad

Steup 3 :

Add the following under tFTPConnection > Advanced settings > Config client

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

Anonymous — Thu, 12 Jan 2023 21:52:47 GMT

Hello Thanks for sharing back!

I think the library bump is not necessary.

If you think it is, then please use less tLibraryLoad and: https://help.talend.com/r/en-US/8.0/studio-user-guide/overriding-external-modules-by-customizing-mvn-uri (this basically lets you create a search:replace list that is applied with the pom generation. And in case you replace 0.1 with 0.2 but Talend adds 0.3 your job starts to use 0.3 unless you again replace 0.3 with 0.2 🙂

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

E7M-A — Fri, 13 Jan 2023 15:00:53 GMT

Hello,

Thanks for your suggestion @Balazs Gunics , i will do'it in my job

Best regards

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

sgbreports — Thu, 24 Oct 2024 08:52:43 GMT

Hi, I'm having this same issue with a tFTPConnection component. I'm trying to connect to a SFTP site using a username, password and host and getting "Auth fail for methods 'publickey,gssapi-with-mic,keyboard-interactive,password'". I have download the latest version of Talend (R2024-08) and jsch file (0.2.19) and still getting the same error. Any ideas?

Re: tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

E7M-A1 — Thu, 24 Oct 2024 15:01:51 GMT

Bonjour @sgbreports

T'as essayé avec une autre version jsch a part la 0.2.19 ?

Cordialement