I experienced problem a few months back and tracked it down to a difference in the java config file for cryptography providers. One of the Solaris machines had a different configuration than another and the crypto provider being used had an incompatible hash algorithm. - Don


-----Original Message-----
From: Ofir Oren
Sent: 2/13/2010 3:17:31 PM
To: John
Cc: jsch-users@lists.sourceforge.net
Subject: Re: [JSch-users] Auth Failed on some Solaris10 depends on Java version
Hi John,

I'm not sure if�Java�installation include "unlimited strength encryption policy" or not, how ever it is installed on a mount point and the same binaries works on one Solaris 10 box and does not work on another. - Now that I think about it maybe they are using different shared libraries (will check ldd on Monday)...

I thought it's a network issue, but it works on Java 1.4.
I thought it's an encoding issue, but both are using the same character encoding (ISO8859-1).

Thanks,
-Ofir

On Sat, Feb 13, 2010 at 1:42 AM, John <john@chaosfree.com> wrote:

Does your java installation of 5 and 6 include the relevant unlimited strength encryption policy option? It's easy to forget and you have to install it each time you do an install.

From: Ofir Oren [mailto:ofiroren@gmail.com]
Sent: Saturday, 13 February 2010 12:13 PM
To: jsch-users@lists.sourceforge.net
Subject: [JSch-users] Auth Failed on some Solaris10 depends on Java version

Hi,

I have a weird issue with JSCH and some Solaris 10.

I have the below code fragment to connect to Akamai via socks proxy, using JRE 1.4 it works on all test machines.
But when I'm using JRE 5 or JRE 6 I works from some solaris 10 machines and does not work for others.
The session.connect() method throws "Auth Failed"

JSch.setLogger(new Logger(){
���� public boolean isEnabled(int level){
�� ������ return true;
���� }
���� public void log(int level, String message){
// only in JRE 6
//�� ��� ��� ������ �StackTraceElement caller = Thread.currentThread().getStackTrace()[2];
//�� ��� ��� ������ �System.err.print(caller.getFileName() + ":" + caller.getClassName()
//�� ��� ��� ������ ��� ��� �+ ":" + caller.getMethodName() + ":" + caller.getLineNumber()+": ");
� ��� ���� System.err.println(message);
������ }
});
JSch jsch = new JSch();
jsch.addIdentity(path2PvtKey);
Session session = jsch.getSession(AKAMAI_USERID, AKAMAI_SERVER, 22);
java.util.Properties config = new java.util.Properties();
config.put("StrictHostKeyChecking", "no");
session.setUserInfo(this);
session.setConfig(config);
ProxySOCKS5 ps = new ProxySOCKS5(SOCKS_PROXY_IP, SOCKS_PROXY_PORT);
ps.setUserPasswd(SOCKS_PROXY_USERID, SOCKS_PROXY_PWD);
session.setProxy(ps);
session.connect();


Here is the logging output of the bad machine:

Default locale: en_US
Default encoding: ISO8859-1
Connecting to XXXX.upload.akamai.com port 22
Connection established
Remote version string: SSH-1.99-Server-VII
Local version string: SSH-2.0-JSCH-0.1.42
CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
aes256-ctr is not available.
aes192-ctr is not available.
aes256-cbc is not available.
aes192-cbc is not available.
arcfour256 is not available.
in_kex=true 20
command: 20
encode: 20
������� 341
IO> 352
SSH_MSG_KEXINIT sent
SSH_MSG_KEXINIT received
kex: server->client aes128-ctr hmac-md5 none
kex: client->server aes128-ctr hmac-md5 none
in_kex=true 30
command: 30
encode: 30
������� 138
IO> 152
SSH_MSG_KEXDH_INIT sent
expecting SSH_MSG_KEXDH_REPLY
ssh_dss_verify: signature true
Permanently added 'XXXX.upload.akamai.com' (DSA) to the list of known hosts.
in_kex=true 21
command: 21
encode: 21
������� 6
IO> 16
SSH_MSG_NEWKEYS sent
SSH_MSG_NEWKEYS received
in_kex=false 5
encode: 5
������� 22
IO> 64
SSH_MSG_SERVICE_REQUEST sent
SSH_MSG_SERVICE_ACCEPT received
in_kex=false 50
encode: 50
������� 42
IO> 80
Authentications that can continue: publickey,keyboard-interactive,password
Next authentication method: publickey
UserAuthPublicKey: com.jcraft.jsch.IdentityFile@1fddc31 null
UserAuthPublicKey: identity.isEncrypted()=true
UserAuthPublicKey: identity.isEncrypted()=false
UserAuthPublicKey: pubkeyblob=[B@1d225a7
Signature: SHA1withRSA from SunPKCS11-Solaris version 1.6
keyFactory: RSA from SunPKCS11-Solaris version 1.6
in_kex=false 50
encode: 50
������� 359
IO> 400
publickey partial_success:false
in_kex=false 1
encode: 1
������� 60
IO> 96
Disconnecting from gehealthcare.upload.akamai.com port 22
com.jcraft.jsch.JSchException: Auth fail



Here is the log from the good machine:

Default locale: en_US
Default encoding: ISO8859-1
Connecting to XXXX.upload.akamai.com port 22
Connection established
Remote version string: SSH-1.99-Server-VII
Local version string: SSH-2.0-JSCH-0.1.42
CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
aes256-ctr is not available.
aes192-ctr is not available.
aes256-cbc is not available.
aes192-cbc is not available.
arcfour256 is not available.
in_kex=true 20
command: 20
encode: 20
������� 341
IO> 352
SSH_MSG_KEXINIT sent
SSH_MSG_KEXINIT received
kex: server->client aes128-ctr hmac-md5 none
kex: client->server aes128-ctr hmac-md5 none
in_kex=true 30
command: 30
encode: 30
������� 138
IO> 152
SSH_MSG_KEXDH_INIT sent
expecting SSH_MSG_KEXDH_REPLY
ssh_dss_verify: signature true
Permanently added 'XXXX.upload.akamai.com' (DSA) to the list of known hosts.
in_kex=true 21
command: 21
encode: 21
������� 6
IO> 16
SSH_MSG_NEWKEYS sent
SSH_MSG_NEWKEYS received
in_kex=false 5
encode: 5
������� 22
IO> 64
SSH_MSG_SERVICE_REQUEST sent
SSH_MSG_SERVICE_ACCEPT received
in_kex=false 50
encode: 50
������� 42
IO> 80
Authentications that can continue: publickey,keyboard-interactive,password
Next authentication method: publickey
UserAuthPublicKey: com.jcraft.jsch.IdentityFile@290fbc null
UserAuthPublicKey: identity.isEncrypted()=true
UserAuthPublicKey: identity.isEncrypted()=false
UserAuthPublicKey: pubkeyblob=[B@1833eca
Signature: SHA1withRSA from SunPKCS11-Solaris version 1.6
keyFactory: RSA from SunPKCS11-Solaris version 1.6
in_kex=false 50
encode: 50
������� 359
IO> 400
Authentication succeeded (publickey).

Any thoughts about how I can troubleshoot this?

Thanks,
-Ofir


This email has been scanned by Netintelligence
http://www.netintelligence.com/email