Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1726 Cannot use rsa SSH keys generated from OS X 10.8

open-accepted
nobody
FTP (14)
5
2013-10-26
2013-07-21
Kaja
No

jEdit Version Numbers: 5.0.0 / 5.1pre1
Plugins: FTP 1.0.3 / SshConsole 1.0.6a
Platform: OS X version 10.8.4
Java Version: 1.7.0_25-b15

Steps to Reproduce:
- Create an SSH2 key pair using the default settings with 'ssh-keygen' on OS X 10.8 - this results in a AES-128-CBC encrypted key.
- Add the public key to server's authorized keys and log in via SSH in Terminal to verify the new key pair is working.
- Attempt to use the same key to log in with (S)FTP or SshConsole plugins results in multiple (4-5) prompts for the key's password even if it is correctly entered
- jEdit appears to give up on public key authentication and falls back to keyboard interactive - resulting in an "Auth Fail".

Expected Result: Password prompt asks for correct password and logs in to the server when it's given.

Following the same steps with a key pair generated on OS 10.6 - resulting in a DES-EDE3-CBC encrypted key - produces the expected result (no log in errors using the key).

jEdit activity log:
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: Connecting to {server} port {port}
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: Connection established
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: Remote version string: SSH-2.0-OpenSSH_5.2
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: Local version string: SSH-2.0-JSCH-0.1.42
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: SSH_MSG_KEXINIT sent
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: SSH_MSG_KEXINIT received
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: kex: server->client aes128-ctr hmac-md5 none
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: kex: client->server aes128-ctr hmac-md5 none
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: SSH_MSG_KEXDH_INIT sent
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: expecting SSH_MSG_KEXDH_REPLY
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: ssh_rsa_verify: signature true
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: Host '{server}' is known and mathces the RSA host key
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: SSH_MSG_NEWKEYS sent
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: SSH_MSG_NEWKEYS received
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: SSH_MSG_SERVICE_REQUEST sent
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: SSH_MSG_SERVICE_ACCEPT received
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: Authentications that can continue: gssapi-with-mic,publickey,keyboard-interactive,password
4:42:58 PM [jEdit Worker #3] [message] SftpLogger: Next authentication method: gssapi-with-mic
4:42:59 PM [jEdit Worker #3] [message] SftpLogger: Authentications that can continue: publickey,keyboard-interactive,password
4:42:59 PM [jEdit Worker #3] [message] SftpLogger: Next authentication method: publickey
4:42:59 PM [jEdit Worker #3] [debug] SFtpConnection: Passphrase for /Users/{luser}/.ssh/id_rsa
4:42:59 PM [jEdit Worker #3] [debug] SFtpConnection: Passphrase for /Users/{luser}/.ssh/id_rsa
4:43:05 PM [jEdit Worker #3] [debug] SFtpConnection: Passphrase for /Users/{luser}/.ssh/id_rsa
4:43:09 PM [jEdit Worker #3] [debug] SFtpConnection: Passphrase for /Users/{luser}/.ssh/id_rsa
4:43:11 PM [jEdit Worker #3] [message] SftpLogger: Authentications that can continue: keyboard-interactive,password
4:43:11 PM [jEdit Worker #3] [message] SftpLogger: Next authentication method: keyboard-interactive
4:43:12 PM [jEdit Worker #3] [message] SftpLogger: Disconnecting from {server} port {port}
4:43:12 PM [jEdit Worker #3] [debug] ConnectionManager: catch java.io.IOException on sftp://{server}:{port}
4:43:12 PM [jEdit Worker #3] [error] ListDirectoryBrowserTask: at ftp.SFtpConnection.<init>(SFtpConnection.java:124)
4:43:12 PM [jEdit Worker #3] [error] ErrorListDialog$ErrorEntry: sftp://{user}@{server}:{port}/~/:

Discussion

  • Alan Ezust
    Alan Ezust
    2013-07-22

    I can only do this on linux, not macos, but perhaps my experiences will help you.

    > Steps to Reproduce:
    > - Create an SSH2 key pair using the default settings with 'ssh-keygen' on OS X 10.8 - this results in a AES-128-CBC encrypted key.
    > - Add the public key to server's authorized keys and log in via SSH in Terminal to verify the new key pair is working.
    > - Attempt to use the same key to log in with (S)FTP or SshConsole plugins results in multiple (4-5) prompts for the key's password even if it is correctly entered

    First of all, if you are using a key-pair, you should not be entering ANYTHING into the password field, otherwise it won't use your key. For the "connect to secure server" dialog, you enter the username, private key, and leave the password BLANK. Set the private key: to the proper file, and click OK.

    The first time it uses that key, it should pop up another dialog: "enter passphrase for <your private key>". And it should do that only once until you quit jEdit. And there is no option to save a passphrase.

    > - jEdit appears to give up on public key authentication and falls back to keyboard interactive - resulting in an "Auth Fail".
    >
    > Expected Result: Password prompt asks for correct password and logs in to the server when it's given.

    There is no password prompt. Just a passphrase prompt.

    >
    > Following the same steps with a key pair generated on OS 10.6 - resulting in a DES-EDE3-CBC encrypted key - produces the expected result (no log in errors using the key).

     
  • Alan Ezust
    Alan Ezust
    2013-07-22

    • status: open --> pending-works-for-me
     
  • Kaja
    Kaja
    2013-07-22

    Sorry if my "steps to reproduce" weren't clear - I'm not entering a password into the "Connect to Secure FTP Server Dialog", I'm entering the password / passphrase into the "Enter passphrase for private key file" dialog which pops up when attempting to connect to the remote server using SFTP. The passphrase is never accepted even if it is correct and the private key passphrase dialog comes back several times after the proper passphrase has been entered.

    As mentioned in the original report, I am able to connect using jEdit and the SFTP plugin by using an older key generated with from another version of ssh-keygen. It's keys generated on the OS X 10.8 box using OpenSSH_5.9p1, OpenSSL 0.9.8x that do not work while those generated on an older OS X 10.6 box using OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011 do.

     
  • Alan Ezust
    Alan Ezust
    2013-07-22

    • status: pending-works-for-me --> open
     
  • Alan Ezust
    Alan Ezust
    2013-07-22

    Ok, this might be due to an out of date jsch library. see related ticket #3601720

     
  • Alan Ezust
    Alan Ezust
    2013-09-21

    • status: open --> open-accepted
     
  • Alan Ezust
    Alan Ezust
    2013-09-21

    I just tried it with the latest jsch library and I can reproduce your issue still even after updating to jsch 0.1.50!
    I am still going to have to release FTP 1.0.4 without fixing this bug because it requires further investigation.
    It might be a bug in jsch, I am not sure yet. But I can use the FTP plugin fine with keypairs that were not created in Mac OSX.

     
  • Alan Ezust
    Alan Ezust
    2013-10-26

    I just made a discovery. It depends on what KIND of key you make. I tried making a 1024 bit DSA key from the mac and it works. But RSA keys don't.
    Do you also observe this?
    Is it only RSA keys that don't work, or are there other kinds too?

     
  • Alan Ezust
    Alan Ezust
    2013-10-26

    • summary: Cannot use SSH keys generated on OS X 10.8 with FTP plugin --> Cannot use rsa SSH keys generated from OS X 10.8
     
  • Kaja
    Kaja
    2013-11-12

    I took a quick look at using a DSA key and it appears you're correct - the 1028 bit DSA key I generated on OS X Server 10.6.8 works fine for SFTP connections in jEdit 5.0 with FTP 1.0.3. I'll need to play around with the various keys which can be generated with ssh-keygen and see how various types of keys behave.

    Since my last look into this issue I've updated the local machine to OS X 10.9 so I'll need to find some time to play around with various combinations of keys generated on 10.6.8 and 10.9. A quick look shows OS X 10.9 is using "OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011" and 10.6.8 Server is "OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011". I'll also need to play around with jEdit 5.0 and 5.1 - even if the update to jsch didn't seem to directly affect this issue, I'm curious to see if there is any difference being on OS X 10.9 and using the same keys.