Re: tFTPConnection - Auth fail for methods 'public... - Qlik Community

E7M-A · ‎2022-10-14

Hi Team,

I'm trying to establish SFTP connection using tFTPConnection component and I'm using auth type is Public Key but getting error "Auth fail for methods 'publickey,gssapi-with-mic,password", but with the same host,port..... I'm able login in WinSCP and FilleZilla, so problem with component !

I run the job with debug and i get alos same informations :

tFTPConnection_1 - Start to work.

tFTPConnection_1 - Parameters:HOST = context.host_FTP | PORT = context.port_FTP | USER = context.user_FTP | SFTP = true | AUTH_METHOD = PUBLICKEY | PRIVATEKEY = context.Keyprivate_FTP | PASSPHRASE = enc:... | USE_ENCODING = false | USE_PROXY = false | CONNECTION_TIMEOUT = 0 | USE_STRICT_REPLY_PARSING = true | CONFIG_CLIENT = true | CLIENT_PARAMETERS = [{VALUE="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256", PARAMETER="kex"}, {VALUE="ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256", PARAMETER="server_host_key"}, {VALUE="aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com", PARAMETER="cipher.s2c"}, {VALUE="aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com", PARAMETER="cipher.c2s"}, {VALUE="hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512", PARAMETER="mac.s2c"}, {VALUE="hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512", PARAMETER="mac.c2s"}] |

tFTPConnection_1 - SFTP authentication using a public key.

tFTPConnection_1 - Private key: 'C:/Users/XXXX/.ssh/login_cleprive.ppk'.

tFTPConnection_1 - Attempt to connect to 'xxx.xxx.xxx.x' with username 'login'.

Connecting to xxx.xxx.xxx.x port xxxx

Connection established

Remote version string: SSH-1.99-OpenSSH_3.9p1

Local version string: SSH-2.0-JSCH_0.2.1

CheckCiphers: chacha20-poly1305@openssh.com

CheckKexes: curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512

CheckSignatures: ssh-ed25519,ssh-ed448

ssh-ed25519 is not available.

ssh-ed448 is not available.

server_host_key proposal before removing unavailable algos is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

server_host_key proposal after removing unavailable algos is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

server_host_key proposal before known_host reordering is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

server_host_key proposal after known_host reordering is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

SSH_MSG_KEXINIT sent

SSH_MSG_KEXINIT received

kex: server: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

kex: server: ssh-rsa,ssh-dss

kex: server: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

kex: server: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

kex: server: none,zlib

kex: server:

kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c

kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com

kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512

kex: client: none

kex: client:

kex: algorithm: diffie-hellman-group14-sha1

kex: host key algorithm: ssh-rsa

kex: server->client cipher: aes128-ctr MAC: hmac-md5 compression: none

kex: client->server cipher: aes128-ctr MAC: hmac-md5 compression: none

SSH_MSG_KEXDH_INIT sent

expecting SSH_MSG_KEXDH_REPLY

ssh_rsa_verify: ssh-rsa signature true

Permanently added 'xxx.xxx.xxx.x' (RSA) to the list of known hosts.

SSH_MSG_NEWKEYS sent

SSH_MSG_NEWKEYS received

SSH_MSG_SERVICE_REQUEST sent

SSH_MSG_SERVICE_ACCEPT received

Authentications that can continue: publickey,password,keyboard-interactive,gssapi-with-mic

Next authentication method: publickey

PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256

Signature algorithms unavailable for non-agent identities = [ssh-ed25519, ssh-ed448]

No server-sig-algs found, using PubkeyAcceptedAlgorithms = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256]

rsa-sha2-512 preauth failure

rsa-sha2-256 preauth failure

Authentications that can continue: password,keyboard-interactive,gssapi-with-mic

Next authentication method: password

Authentications that can continue: gssapi-with-mic

Next authentication method: gssapi-with-mic

Disconnecting from xxx.xxx.xxx.x port xxxx

Could someone please have look into it. Please

Note : Even with tScpConnection i got the same problem, i'm using Talend v8.0.1 with the last version R2022-09, I also find this solution https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms?language=en_US but doesn't help me !!

Anonymous · ‎2022-10-14

Can you show us your component configuration and the standard System.out you get for the error please?

You *may* find this solution that I provided for an issue that doesn't initially look too dissimilar to this, useful. This was caused by a permutation of security options not being supported by the standard component.

https://community.talend.com/s/feed/0D73p000004uVGzCAM

It does require a bit of Java. But if you are OK with Java, it opens a lot of doors.

If you can give me a bit more detail regarding your component config and the standard error you get, I may be able to get this raised as a Jira.

Anonymous · ‎2022-10-14

Hello,

We've recently upgraded the FTP library, but that should out of the box support the newer security mechanisms.

Could you please check this github issue? They suggest there to expand the cipher.c2s / cipher.s2c parameters. https://github.com/mwiede/jsch/issues/47

Also there's an article about the config client changes that were applied during the upgrade to make it bacward compatible. https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms

Based on the logs it looks to me that this job used to exists in studio, as the config client already has extra values, which is populated during the patch application.

Keep in mind that if this is a regression you should raise it with Talend Support as these cases are treated as Critical bugs by R&D.

E7M-A · ‎2022-10-18

Hello,

Thanks @Richard Hall and @Balazs Gunics for your answers, the problem is caused by the update of the jsch library from 0.1.55 to 0.2.1, so in order to solve my problem I set up the following job:

with this setting :

I hope it's a good a solution !

Anonymous · ‎2022-10-18

Hello,

It gets the job done but I don't agree that it's a good solution.

You can easily override the versions for the whole project/branch: https://help.talend.com/r/en-US/8.0/studio-user-guide-data-fabric/overriding-external-modules-by-customizing-mvn-uri

And as I mentioned if this is a regression then it might affect a lot of customers. The sooner Support knows about it the sooner it can reproduced and if it's indeed a regression then it will be fixed.

Have you tried the later version of jsch? https://github.com/mwiede/jsch

That has different exception message which should clearly indicate what values you'd have to add for the Advanced Settings. By doing that changes your job should work without any over/underride in the library.

Using an old version of the library might cause issues in case there's a CVE which will be fixed by Talend but your tLibraryLoad will override that leaving your vulnerable.

So it's a good temporary solution to get things moving. If it's the depreacated ciphers then you can enable those ciphers, not a product issue, unless this used to work and after the upgrade it broke, because that's not expected and it needs to be fixed in the product.

Downgrade / enable old ciphers you do at your own risk because this means an attacker can crack the communication between the client and the server, gaining access to the content of the file itself. That's the reason it was removed by JSCH. It's a big security risk to use outdated ciphers. 20+ years ago it would take years to crack these. Nowadays it might only take a few thousand dollars as you can rent computing.

Regards,

Balázs

E7M-A · ‎2022-10-18

Hello,

@Balazs Gunics I want to trie this solution https://github.com/mwiede/jsch but I'm confused how should I adapt it in Talend, if you can give me a hand on what should I do the change?

Thanks

Anonymous · ‎2022-10-18

Hello,

In this article you can find the step by step guide: https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms?language=en_US

(Screenshot + the values above.)

My expectation is that the newer version of the library would give you the key_name + missing_value in the Exception. (Based on the logs I've seen from others.)

E7M-A · ‎2022-10-19

Hello,

So i tried this solution https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms?language=en_US but know i get a new issue :

Exception in component tFTPConnection_1 (TEST_SFTP)

com.jcraft.jsch.JSchException: Algorithm negotiation fail

at com.jcraft.jsch.Session.receive_kexinit(Session.java:604)

at com.jcraft.jsch.Session.connect(Session.java:334)

at com.jcraft.jsch.Session.connect(Session.java:194)

at bcb.test_sftp_0_1.TEST_SFTP.tFTPConnection_1Process(TEST_SFTP.java:1659)

at bcb.test_sftp_0_1.TEST_SFTP.runJobInTOS(TEST_SFTP.java:2805)

at bcb.test_sftp_0_1.TEST_SFTP.main(TEST_SFTP.java:2395)

[FATAL] 11:44:01 bcb.test_sftp_0_1.TEST_SFTP- tFTPConnection_1 Algorithm negotiation fail

com.jcraft.jsch.JSchException: Algorithm negotiation fail

at com.jcraft.jsch.Session.receive_kexinit(Session.java:604) ~[jsch-0.2.1.jar:0.2.1]

at com.jcraft.jsch.Session.connect(Session.java:334) ~[jsch-0.2.1.jar:0.2.1]

at com.jcraft.jsch.Session.connect(Session.java:194) ~[jsch-0.2.1.jar:0.2.1]

at bcb.test_sftp_0_1.TEST_SFTP.tFTPConnection_1Process(TEST_SFTP.java:1659) [classes/:?]

at bcb.test_sftp_0_1.TEST_SFTP.runJobInTOS(TEST_SFTP.java:2805) [classes/:?]

at bcb.test_sftp_0_1.TEST_SFTP.main(TEST_SFTP.java:2395) [classes/:?]

I think the version jsch-0.2.1.jar need to be updated ?

Best regards

Anonymous · ‎2022-10-19

Yes, well with 0.2.1 you can enable log4j debug logs and figure out the information from there. (that was the latest at the time)

With the newer version of the library the exception message itself will hold they key, missing value. (Which we'll plan to upgrade for soon.)

E7M-A · ‎2022-10-19

Ok thank you, I will wait for the next version of jar to see if this will solve my problem...

tFTPConnection - Auth fail for methods 'publickey,gssapi-with-mic,password

Cloud

Talend Studio

v7.x