Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi Team,
I'm trying to establish SFTP connection using tFTPConnection component and I'm using auth type is Public Key but getting error "Auth fail for methods 'publickey,gssapi-with-mic,password", but with the same host,port..... I'm able login in WinSCP and FilleZilla, so problem with component !
I run the job with debug and i get alos same informations :
tFTPConnection_1 - Start to work.
tFTPConnection_1 - Parameters:HOST = context.host_FTP | PORT = context.port_FTP | USER = context.user_FTP | SFTP = true | AUTH_METHOD = PUBLICKEY | PRIVATEKEY = context.Keyprivate_FTP | PASSPHRASE = enc:... | USE_ENCODING = false | USE_PROXY = false | CONNECTION_TIMEOUT = 0 | USE_STRICT_REPLY_PARSING = true | CONFIG_CLIENT = true | CLIENT_PARAMETERS = [{VALUE="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256", PARAMETER="kex"}, {VALUE="ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256", PARAMETER="server_host_key"}, {VALUE="aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com", PARAMETER="cipher.s2c"}, {VALUE="aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com", PARAMETER="cipher.c2s"}, {VALUE="hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512", PARAMETER="mac.s2c"}, {VALUE="hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512", PARAMETER="mac.c2s"}] |
tFTPConnection_1 - SFTP authentication using a public key.
tFTPConnection_1 - Private key: 'C:/Users/XXXX/.ssh/login_cleprive.ppk'.
tFTPConnection_1 - Attempt to connect to 'xxx.xxx.xxx.x' with username 'login'.
Connecting to xxx.xxx.xxx.x port xxxx
Connection established
Remote version string: SSH-1.99-OpenSSH_3.9p1
Local version string: SSH-2.0-JSCH_0.2.1
CheckCiphers: chacha20-poly1305@openssh.com
CheckKexes: curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512
CheckSignatures: ssh-ed25519,ssh-ed448
ssh-ed25519 is not available.
ssh-ed448 is not available.
server_host_key proposal before removing unavailable algos is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
server_host_key proposal after removing unavailable algos is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
server_host_key proposal before known_host reordering is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
server_host_key proposal after known_host reordering is: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
SSH_MSG_KEXINIT sent
SSH_MSG_KEXINIT received
kex: server: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
kex: server: ssh-rsa,ssh-dss
kex: server: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
kex: server: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
kex: server: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
kex: server: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
kex: server: none,zlib
kex: server: none,zlib
kex: server:
kex: server:
kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com
kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com
kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512
kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-512
kex: client: none
kex: client: none
kex: client:
kex: client:
kex: algorithm: diffie-hellman-group14-sha1
kex: host key algorithm: ssh-rsa
kex: server->client cipher: aes128-ctr MAC: hmac-md5 compression: none
kex: client->server cipher: aes128-ctr MAC: hmac-md5 compression: none
SSH_MSG_KEXDH_INIT sent
expecting SSH_MSG_KEXDH_REPLY
ssh_rsa_verify: ssh-rsa signature true
Permanently added 'xxx.xxx.xxx.x' (RSA) to the list of known hosts.
SSH_MSG_NEWKEYS sent
SSH_MSG_NEWKEYS received
SSH_MSG_SERVICE_REQUEST sent
SSH_MSG_SERVICE_ACCEPT received
Authentications that can continue: publickey,password,keyboard-interactive,gssapi-with-mic
Next authentication method: publickey
PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
Signature algorithms unavailable for non-agent identities = [ssh-ed25519, ssh-ed448]
No server-sig-algs found, using PubkeyAcceptedAlgorithms = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256]
rsa-sha2-512 preauth failure
rsa-sha2-256 preauth failure
Authentications that can continue: password,keyboard-interactive,gssapi-with-mic
Next authentication method: password
Authentications that can continue: gssapi-with-mic
Next authentication method: gssapi-with-mic
Disconnecting from xxx.xxx.xxx.x port xxxx
Could someone please have look into it. Please
Note : Even with tScpConnection i got the same problem, i'm using Talend v8.0.1 with the last version R2022-09, I also find this solution https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms?language=en_US but doesn't help me !!
Can you show us your component configuration and the standard System.out you get for the error please?
You *may* find this solution that I provided for an issue that doesn't initially look too dissimilar to this, useful. This was caused by a permutation of security options not being supported by the standard component.
https://community.talend.com/s/feed/0D73p000004uVGzCAM
It does require a bit of Java. But if you are OK with Java, it opens a lot of doors.
If you can give me a bit more detail regarding your component config and the standard error you get, I may be able to get this raised as a Jira.
Hello,
We've recently upgraded the FTP library, but that should out of the box support the newer security mechanisms.
Could you please check this github issue? They suggest there to expand the cipher.c2s / cipher.s2c parameters. https://github.com/mwiede/jsch/issues/47
Also there's an article about the config client changes that were applied during the upgrade to make it bacward compatible. https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms
Based on the logs it looks to me that this job used to exists in studio, as the config client already has extra values, which is populated during the patch application.
Keep in mind that if this is a regression you should raise it with Talend Support as these cases are treated as Critical bugs by R&D.
Hello,
Thanks @Richard Hall and @Balazs Gunics for your answers, the problem is caused by the update of the jsch library from 0.1.55 to 0.2.1, so in order to solve my problem I set up the following job:
with this setting :
I hope it's a good a solution !
Hello,
It gets the job done but I don't agree that it's a good solution.
You can easily override the versions for the whole project/branch: https://help.talend.com/r/en-US/8.0/studio-user-guide-data-fabric/overriding-external-modules-by-customizing-mvn-uri
And as I mentioned if this is a regression then it might affect a lot of customers. The sooner Support knows about it the sooner it can reproduced and if it's indeed a regression then it will be fixed.
Have you tried the later version of jsch? https://github.com/mwiede/jsch
That has different exception message which should clearly indicate what values you'd have to add for the Advanced Settings. By doing that changes your job should work without any over/underride in the library.
Using an old version of the library might cause issues in case there's a CVE which will be fixed by Talend but your tLibraryLoad will override that leaving your vulnerable.
So it's a good temporary solution to get things moving. If it's the depreacated ciphers then you can enable those ciphers, not a product issue, unless this used to work and after the upgrade it broke, because that's not expected and it needs to be fixed in the product.
Downgrade / enable old ciphers you do at your own risk because this means an attacker can crack the communication between the client and the server, gaining access to the content of the file itself. That's the reason it was removed by JSCH. It's a big security risk to use outdated ciphers. 20+ years ago it would take years to crack these. Nowadays it might only take a few thousand dollars as you can rent computing.
Regards,
Balázs
Hello,
@Balazs Gunics I want to trie this solution https://github.com/mwiede/jsch but I'm confused how should I adapt it in Talend, if you can give me a hand on what should I do the change?
Thanks
Hello,
In this article you can find the step by step guide: https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms?language=en_US
(Screenshot + the values above.)
My expectation is that the newer version of the library would give you the key_name + missing_value in the Exception. (Based on the logs I've seen from others.)
Hello,
So i tried this solution https://community.talend.com/s/article/Expanding-your-SFTP-security-algorithms?language=en_US but know i get a new issue :
Exception in component tFTPConnection_1 (TEST_SFTP)
com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:604)
at com.jcraft.jsch.Session.connect(Session.java:334)
at com.jcraft.jsch.Session.connect(Session.java:194)
at bcb.test_sftp_0_1.TEST_SFTP.tFTPConnection_1Process(TEST_SFTP.java:1659)
at bcb.test_sftp_0_1.TEST_SFTP.runJobInTOS(TEST_SFTP.java:2805)
at bcb.test_sftp_0_1.TEST_SFTP.main(TEST_SFTP.java:2395)
[FATAL] 11:44:01 bcb.test_sftp_0_1.TEST_SFTP- tFTPConnection_1 Algorithm negotiation fail
com.jcraft.jsch.JSchException: Algorithm negotiation fail
at com.jcraft.jsch.Session.receive_kexinit(Session.java:604) ~[jsch-0.2.1.jar:0.2.1]
at com.jcraft.jsch.Session.connect(Session.java:334) ~[jsch-0.2.1.jar:0.2.1]
at com.jcraft.jsch.Session.connect(Session.java:194) ~[jsch-0.2.1.jar:0.2.1]
at bcb.test_sftp_0_1.TEST_SFTP.tFTPConnection_1Process(TEST_SFTP.java:1659) [classes/:?]
at bcb.test_sftp_0_1.TEST_SFTP.runJobInTOS(TEST_SFTP.java:2805) [classes/:?]
at bcb.test_sftp_0_1.TEST_SFTP.main(TEST_SFTP.java:2395) [classes/:?]
I think the version jsch-0.2.1.jar need to be updated ?
Best regards
Yes, well with 0.2.1 you can enable log4j debug logs and figure out the information from there. (that was the latest at the time)
With the newer version of the library the exception message itself will hold they key, missing value. (Which we'll plan to upgrade for soon.)
Ok thank you, I will wait for the next version of jar to see if this will solve my problem...