Thread: [JSch-users] jsch-0.1.54.jar throws com.jcraft.jsch.JSchException: invalid privatekey
Status: Alpha
Brought to you by:
ymnk
Menu
▾
▴
jsch-users
|
From: Erik W. <eri...@na...> - 2016-11-04 21:20:14
|
Summary: Is there a known problem with SSH and RSA keys with 4096 bits? Recently I noticed that using the SFTP plugin of my favorite editor jedit wasn't working anymore. To make a long story short: I've drilled down the problem to the library JSch (jsch-0.1.54.jar) and compiled one of your example: I'm using UserAuthPubKey.java (http://www.jcraft.com/jsch/examples/UserAuthPubKey.java.html) example with a 2 different keys: % ssh-keygen -lf ~/.ssh/id_rsa-2048 2048 SHA256:e8G+h4MsuUMZYUbk2jhk18FGQ88JNB/Lpxzpw/kfAeY eri...@na... (RSA) % ssh-keygen -lf ~/.ssh/id_rsa-4096 4096 SHA256:3M4Mx6KUodWqWfdVWOr0cavdapf8y+zIH3bXcl7umbo eri...@na... (RSA) The first one is working fine, that last one returns the following message > com.jcraft.jsch.JSchException: invalid privatekey: [B@f5f2bb7 throwing from the code snippet > jsch.addIdentity(chooser.getSelectedFile().getAbsolutePath()); If've modified UserAuthPubKey.java a little bit to drill down the JSchException. Here's the relevant part: if(returnVal == JFileChooser.APPROVE_OPTION) { System.out.println("You chose "+ chooser.getSelectedFile().getAbsolutePath()+"."); System.out.println("before jsch.addIdentity()"); jsch.addIdentity(chooser.getSelectedFile().getAbsolutePath()); System.out.println("after jsch.addIdentity()"); } Compiling (using the oracle JDK 1.8.0_101): % javac -classpath jsch.jar UserAuthPubKey.java Starting and using the 2048 bit key: % java -classpath jsch.jar:. UserAuthPubKey You chose /home/brassel/.ssh/id_rsa-2048. before jsch.addIdentity() after jsch.addIdentity() ...Program goes on... Starting and using the 4096 bit key: % java -classpath jsch.jar:. UserAuthPubKey You chose /home/brassel/.ssh/id_rsa-4096. before jsch.addIdentity() com.jcraft.jsch.JSchException: invalid privatekey: [B@48140564 ...Program ends here... Why is that? Why are 4096 bits RSA keys invalid? How can I fix this issue? -- So long... Erik |
|
From: Lothar K. <jo...@ki...> - 2016-11-07 09:43:46
|
Hi, Am 04.11.2016 um 22:20 schrieb Erik Wasser: > Why is that? Why are 4096 bits RSA keys invalid? How can I fix this issue? Maybe a limit of a JVM without Unlimited Strength Cryptography Extension being installed? Cheers, Lothar |
|
From: Erik W. <eri...@na...> - 2016-11-07 22:31:07
|
On 07.11.2016 10:38, Lothar Kimmeringer wrote: > Hi, > > Am 04.11.2016 um 22:20 schrieb Erik Wasser: > >> Why is that? Why are 4096 bits RSA keys invalid? How can I fix this issue? > > Maybe a limit of a JVM without Unlimited Strength Cryptography Extension > being installed? Thanks for the feedback. I've download the file 'jce_policy-8.zip' (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) and extracted the files 'US_export_policy.jar' and 'local_policy.jar' to the directory '/usr/java/jdk1.8.0_112/jre/lib/security' (overwriting the old ones). Nothing changed (and I've double checked if this is the right java version I'm using). If I switch to 'java-1.8.0-openjdk.x86_64' the error still remains so I think it's not a (Oracle-)Java problem. Here's the stack trace: com.jcraft.jsch.JSchException: invalid privatekey: [B@282ba1e at com.jcraft.jsch.KeyPair.load(KeyPair.java:664) at com.jcraft.jsch.KeyPair.load(KeyPair.java:561) at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40) at com.jcraft.jsch.JSch.addIdentity(JSch.java:407) at com.jcraft.jsch.JSch.addIdentity(JSch.java:367) at UserAuthPubKey.main(UserAuthPubKey.java:29) I've debugged a little bit further and replaced the lines > -----BEGIN OPENSSH PRIVATE KEY----- > ... > -----BEGIN OPENSSH PRIVATE KEY----- with > -----BEGIN RSA PRIVATE KEY----- > ... > -----BEGIN RSA PRIVATE KEY----- And the stack trace changed a little bit: com.jcraft.jsch.JSchException: invalid privatekey: [B@f5f2bb7 at com.jcraft.jsch.KeyPair.load(KeyPair.java:948) at com.jcraft.jsch.KeyPair.load(KeyPair.java:561) at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40) at com.jcraft.jsch.JSch.addIdentity(JSch.java:407) at com.jcraft.jsch.JSch.addIdentity(JSch.java:367) at UserAuthPubKey.main(UserAuthPubKey.java:29) Any ideas? -- So long... Erik |
|
From: Tim B. <tb...@al...> - 2016-11-08 05:39:48
|
This is the 0.1.53 source: http://grepcode.com/file/repo1.maven.org/maven2/com.jcraft/jsch/0.1.53/com/jcraft/jsch/KeyPair.java#KeyPair Presumably the 0.1.54 source isn't much different, since the line numbers match exactly. Look at lines 634-665, and in particular lines 638-644. It looks like keys in formats DSA, RSA, ECDSA, and SSH are supported, but there's no indication that OPENSSH keys are supported. Did you maybe forget the "-t rsa" argument when generating the 4096-bit key? I'm not sure why the output would include "(RSA)" if that happened, but at the same time the content you showed us doesn't appear to be an RSA key... Tim On Mon, Nov 7, 2016 at 3:30 PM, Erik Wasser <eri...@na...> wrote: > On 07.11.2016 10:38, Lothar Kimmeringer wrote: > > > Hi, > > > > Am 04.11.2016 um 22:20 schrieb Erik Wasser: > > > >> Why is that? Why are 4096 bits RSA keys invalid? How can I fix this > issue? > > > > Maybe a limit of a JVM without Unlimited Strength Cryptography Extension > > being installed? > > Thanks for the feedback. > > I've download the file 'jce_policy-8.zip' > (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download- > 2133166.html) > and extracted the files 'US_export_policy.jar' and 'local_policy.jar' > to the directory '/usr/java/jdk1.8.0_112/jre/lib/security' (overwriting > the old ones). > > Nothing changed (and I've double checked if this is the right java > version I'm using). > > If I switch to 'java-1.8.0-openjdk.x86_64' the error still remains so I > think it's not a (Oracle-)Java problem. > > Here's the stack trace: > > com.jcraft.jsch.JSchException: invalid privatekey: [B@282ba1e > at com.jcraft.jsch.KeyPair.load(KeyPair.java:664) > at com.jcraft.jsch.KeyPair.load(KeyPair.java:561) > at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40) > at com.jcraft.jsch.JSch.addIdentity(JSch.java:407) > at com.jcraft.jsch.JSch.addIdentity(JSch.java:367) > at UserAuthPubKey.main(UserAuthPubKey.java:29) > > I've debugged a little bit further and replaced the lines > > > -----BEGIN OPENSSH PRIVATE KEY----- > > ... > > -----BEGIN OPENSSH PRIVATE KEY----- > > with > > > -----BEGIN RSA PRIVATE KEY----- > > ... > > -----BEGIN RSA PRIVATE KEY----- > > And the stack trace changed a little bit: > > com.jcraft.jsch.JSchException: invalid privatekey: [B@f5f2bb7 > at com.jcraft.jsch.KeyPair.load(KeyPair.java:948) > at com.jcraft.jsch.KeyPair.load(KeyPair.java:561) > at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:40) > at com.jcraft.jsch.JSch.addIdentity(JSch.java:407) > at com.jcraft.jsch.JSch.addIdentity(JSch.java:367) > at UserAuthPubKey.main(UserAuthPubKey.java:29) > > Any ideas? > > -- > So long... Erik > > > ------------------------------------------------------------ > ------------------ > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today. http://sdm.link/xeonphi > _______________________________________________ > JSch-users mailing list > JSc...@li... > https://lists.sourceforge.net/lists/listinfo/jsch-users > |
|
From: Erik W. <eri...@na...> - 2016-11-08 20:21:41
|
On 08.11.2016 06:39, Tim Bain wrote: > This is the 0.1.53 source: > http://grepcode.com/file/repo1.maven.org/maven2/com.jcraft/jsch/0.1.53/com/jcraft/jsch/KeyPair.java#KeyPair > Presumably the 0.1.54 source isn't much different, since the line > numbers match exactly. > > Look at lines 634-665, and in particular lines 638-644. It looks like > keys in formats DSA, RSA, ECDSA, and SSH are supported, but there's no > indication that OPENSSH keys are supported. Did you maybe forget the > "-t rsa" argument when generating the 4096-bit key? I'm not sure why > the output would include "(RSA)" if that happened, but at the same time > the content you showed us doesn't appear to be an RSA key... Hi. Thanks for the answer. You've pushed me into the right direction. I've just recreated a new key with the following command: > ssh-keygen -b 4096 -f .ssh/foo And everything is fine and the first line indicates an RSA. And voilà: Jsch is working just fine with a 4096 bits/RSA key. So my key was just bad, like the error messages indicated it. B-) Thanks for the help. -- So long... Erik |
|
From: Tim B. <tb...@al...> - 2016-11-09 02:56:17
|
I'm glad to hear you got it working, though I'm surprised the command you ran, without -t rsa, worked as you described. No matter, if it solved your problem then that's what matters. Tim On Tue, Nov 8, 2016 at 1:21 PM, Erik Wasser <eri...@na...> wrote: > On 08.11.2016 06:39, Tim Bain wrote: > > > This is the 0.1.53 source: > > http://grepcode.com/file/repo1.maven.org/maven2/com. > jcraft/jsch/0.1.53/com/jcraft/jsch/KeyPair.java#KeyPair > > Presumably the 0.1.54 source isn't much different, since the line > > numbers match exactly. > > > > Look at lines 634-665, and in particular lines 638-644. It looks like > > keys in formats DSA, RSA, ECDSA, and SSH are supported, but there's no > > indication that OPENSSH keys are supported. Did you maybe forget the > > "-t rsa" argument when generating the 4096-bit key? I'm not sure why > > the output would include "(RSA)" if that happened, but at the same time > > the content you showed us doesn't appear to be an RSA key... > > Hi. Thanks for the answer. You've pushed me into the right direction. > I've just recreated a new key with the following command: > > > ssh-keygen -b 4096 -f .ssh/foo > > And everything is fine and the first line indicates an RSA. And voilà: > Jsch is working just fine with a 4096 bits/RSA key. > > So my key was just bad, like the error messages indicated it. B-) > > Thanks for the help. > > -- > So long... Erik > > ------------------------------------------------------------ > ------------------ > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today. http://sdm.link/xeonphi > _______________________________________________ > JSch-users mailing list > JSc...@li... > https://lists.sourceforge.net/lists/listinfo/jsch-users > |
Thanks for helping keep SourceForge clean.
X