JSchException: verify: false during local testing with Apache Mina SSHD server

Question

I am writing a TestNG test for a Jsch based FTP client but I keep getting the below error:

com.jcraft.jsch.JSchException: verify: false
at com.jcraft.jsch.Session.connect(Session.java:330)
at com.jcraft.jsch.Session.connect(Session.java:183)

I have researched a lot and also looking into existing question threads but have not been able to resolve the issue yet.

FTP client code:

Session getSFTPSession(String keyFilePath, String ftpUser, String ftpHost,
  int ftpPort) throws JSchException, IOException {
    JSch jsch = new JSch();

    // keyFilePath is the location where I am storing the key file.
    jsch.addIdentity("ftp-client",
    FileUtils.readFileToByteArray(new File(keyFilePath)), null, null);

    // String ftpUser, String ftpHost, int ftpPort are the inputs.
    Session session = jsch.getSession(ftpUser, ftpHost, ftpPort);
    session.setConfig("StrictHostKeyChecking", "no");
    session.setConfig("kex", "diffie-hellman-group1-sha1");
    session.setTimeout(30000);

    session.connect(); // this is where the error is raised
}

TestNG test:

// server startup
SshServer sshServer = SshServer.setUpDefaultServer();
sshServer.setPort(FTP_PORT); // String FTP_PORT = 8001
sshServer.setKeyPairProvider(new SimpleGeneratorHostKeyProvider(keyFilePath));
sshServer.setPasswordAuthenticator(new PasswordAuthenticator() {
  @Override
  public boolean authenticate(final String username, final String password,
      final ServerSession session) {
    boolean authMatch =
        StringUtils.equals(username, FTP_USER) && StringUtils.equals(password, FTP_PASSWORD);
    LOGGER.info("authMatch = [{}]", authMatch);
    return authMatch;
  }
});
sshServer.setCommandFactory(new ScpCommandFactory(new CommandFactory() {
  @Override
  public Command createCommand(String command) {
    LOGGER.info("command: [{}]", command);
    return null;
  }
}));
sshServer.setPublickeyAuthenticator(new PublickeyAuthenticator() {
  @Override
  public boolean authenticate(String username, PublicKey key, ServerSession session) {
    return true;
  }
});
sshServer.setUserAuthFactories(Collections.singletonList(new Factory()));
sshServer.setSubsystemFactories(Collections.singletonList(new SftpSubsystem.Factory()));
sshServer.start();

// at this point, the getSFTPSession method is called

How am I generating the key-file ? I am using bouncycastle lib to do so:

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(ENCRYPTION_ALGO);
keyPairGenerator.initialize(2048, new SecureRandom());
PrivateKey privateKey = keyPairGenerator.genKeyPair().getPrivate();
StringWriter writer = new StringWriter();
try (PEMWriter pemWriter = new PEMWriter(writer)) {
  pemWriter.writeObject(privateKey);
}
FileUtils.writeByteArrayToFile(new File(keyFilePath), writer.toString().getBytes());

Key file generation is done before the server startup.

Maven dependencies:

<jsch.version>0.1.54</jsch.version>
<apache.sshd-sftp.version>0.9.0</apache.sshd-sftp.version>
<bouncycastle.version>1.58</bouncycastle.version>

<dependency>
  <groupId>com.jcraft</groupId>
  <artifactId>jsch</artifactId>
  <version>${jsch.version}</version>
</dependency>
<dependency>
  <groupId>org.apache.sshd</groupId>
  <artifactId>sshd-sftp</artifactId>
  <version>${apache.sshd-sftp.version}</version>
  <scope>test</scope>
</dependency>
<dependency>
  <groupId>org.bouncycastle</groupId>
  <artifactId>bcpkix-jdk15on</artifactId>
  <version>${bouncycastle.version}</version>
  <scope>test</scope>
</dependency>

Please let me know if any more info is needed. Any help on this is appreciated.

Here is full log (from JSchLogger):

[TestNG] Running:
      /Users/s0l02og/Library/Caches/IntelliJIdea2018.1/temp-testng-customsuite.xml
    [INFO ] 2018-08-22 22:40:45.764 [main] SFTPUtilTest - Folder [target/sftp], creation status = [true]
    [INFO ] 2018-08-22 22:40:46.150 [main] SecurityUtils - Trying to register BouncyCastle as a JCE provider
    [INFO ] 2018-08-22 22:40:46.635 [main] SecurityUtils - Registration succeeded
    [DEBUG] 2018-08-22 22:40:46.692 [main] Nio2Acceptor - Creating Nio2Acceptor
    [DEBUG] 2018-08-22 22:40:46.704 [main] Nio2Acceptor - Binding Nio2Acceptor to address 0.0.0.0/0.0.0.0:8001
    INFO: Connecting to localhost port 8001
    INFO: Connection established
    [DEBUG] 2018-08-22 22:40:46.766 [pool-3-thread-1] Nio2Session - Creating Nio2Session on /127.0.0.1:8001 from /127.0.0.1:58231
    [INFO ] 2018-08-22 22:40:46.776 [pool-3-thread-1] ServerSession - Session created from /127.0.0.1:58231
    [DEBUG] 2018-08-22 22:40:46.776 [pool-3-thread-1] Nio2Session - Writing 25 bytes
    INFO: Remote version string: SSH-2.0-SSHD-CORE-0.9.0
    INFO: Local version string: SSH-2.0-JSCH-0.1.54
    INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
    [WARN ] 2018-08-22 22:40:46.784 [pool-3-thread-1] SimpleGeneratorHostKeyProvider - Unable to read key target/sftp/TEST.pk: java.io.StreamCorruptedException: invalid stream header: 2D2D2D2D
    [INFO ] 2018-08-22 22:40:46.786 [pool-3-thread-1] SimpleGeneratorHostKeyProvider - Generating host key...
    INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
    INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
    INFO: SSH_MSG_KEXINIT sent
    INFO: SSH_MSG_KEXINIT received
    [DEBUG] 2018-08-22 22:40:58.093 [pool-3-thread-1] Nio2Session - Writing 384 bytes
    INFO: kex: server: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    INFO: kex: server: ssh-dss
    INFO: kex: server: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
    INFO: kex: server: aes128-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc
    INFO: kex: server: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
    INFO: kex: server: hmac-md5,hmac-sha1,hmac-md5-96,hmac-sha1-96
    INFO: kex: server: none
    INFO: kex: server: none
    INFO: kex: server: 
    INFO: kex: server: 
    INFO: kex: client: diffie-hellman-group1-sha1
    INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
    INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
    INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
    INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
    INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
    INFO: kex: client: none
    INFO: kex: client: none
    INFO: kex: client: 
    INFO: kex: client: 
    INFO: kex: server->client aes128-ctr hmac-md5 none
    INFO: kex: client->server aes128-ctr hmac-md5 none
    INFO: SSH_MSG_KEXDH_INIT sent
    INFO: expecting SSH_MSG_KEXDH_REPLY
    [DEBUG] 2018-08-22 22:40:58.096 [pool-3-thread-1] Nio2Session - Read 516 bytes
    [DEBUG] 2018-08-22 22:40:58.097 [pool-3-thread-1] ServerSession - Client version string: SSH-2.0-JSCH-0.1.54
    [DEBUG] 2018-08-22 22:40:58.097 [pool-3-thread-1] ServerSession - Received packet SSH_MSG_KEXINIT
    [DEBUG] 2018-08-22 22:40:58.097 [pool-3-thread-1] ServerSession - Received SSH_MSG_KEXINIT
    [DEBUG] 2018-08-22 22:40:58.106 [pool-3-thread-1] Nio2Session - Read 152 bytes
    [DEBUG] 2018-08-22 22:40:58.106 [pool-3-thread-1] ServerSession - Received packet SSH_MSG_KEXDH_INIT
    [DEBUG] 2018-08-22 22:40:58.106 [pool-3-thread-1] DHG1 - Received SSH_MSG_KEXDH_INIT
    [DEBUG] 2018-08-22 22:40:58.114 [pool-3-thread-1] DHG1 - K_S:  00 00 00 07 73 73 68 2d 64 73 73 00 00 01 01 00 f0 43 f6 57 7c 2f 04 01 f8 57 e4 a2 aa 21 16 c5 21 69 2b fd fa b5 69 46 78 83 5e a7 2a 28 2c 45 1a 3c 14 c4 83 91 90 b8 8f a2 5a 68 b7 55 bd 23 d8 d4 0b 9e 40 7a 9b e1 73 63 65 67 35 f4 00 91 32 c0 a7 58 4b 8f 16 d2 6a f6 68 8d 80 fb 49 35 20 3f f4 1d c9 d3 17 00 db 14 8c d1 bf 2a 85 81 cf 03 c9 ec b1 c8 47 ed 0e e1 aa 1a 8f 92 b7 26 0a be d2 2b b9 f0 32 cc 6c 93 77 ea e3 bc 81 c0 1f 60 43 d6 c7 03 27 40 5c 9a 58 70 31 bf 05 65 e3 2a 47 f2 3f 66 30 55 dc 7a 8a f8 11 39 ca 37 06 db 11 6d 91 85 f7 cd 43 65 4d 84 14 97 40 11 99 2b 43 34 72 ec d5 f9 c1 12 18 bd 17 3f d6 c6 f1 3d 22 fb a1 98 c8 8f 3e 74 dc b9 a8 bf a6 e5 d5 d4 44 2d 64 4d 26 5f 1e 9c fd 18 04 bd c1 26 5d 75 4f 23 82 aa a6 ea 19 73 eb 81 15 56 6d b6 26 31 a4 3a 00 74 56 21 b5 85 a5 3b 8e 5e a2 47 00 00 00 21 00 c6 ae 4a 42 3c e2 c3 bb 11 a6 0f 8c c3 16 34 02 a8 f7 a0 99 c3 b8 7a 24 57 15 6a 80 96 c5 d2 69 00 00 01 01 00 be 0f cb 0e 22 35 5d 54 06 73 89 00 86 ae cf 62 af d8 06 af c2 76 00 8d 0c 19 37 c4 13 77 42 a0 5d 4b a5 62 5a e4 09 93 08 0b d3 22 69 f0 6a 5c 09 bd a7 f4 93 38 4c 66 c7 b5 36 66 38 4c e1 71 4d 96 3d cf 20 d9 8b 89 5b e9 ba b7 69 8a f1 dc 19 ce 94 61 bd 2a f6 be 58 c6 55 80 2c ff 6a f1 59 df 08 59 ec 6f e4 67 69 0b 88 71 eb 74 30 ec 42 57 18 a6 cc 30 8f 6f f0 54 fc 33 c1 aa b0 df 6c 33 5e e4 1f d0 19 e3 e1 50 3d 04 63 26 1c fc e9 86 cf f5 33 be 4a 6c fb ea 02 4c 90 3d 52 3e 27 5c 0d 18 34 40 86 d4 66 2e 03 0a 8a f0 7d 7a 0b bb 7e 73 70 43 2d f1 d9 1a 77 a2 6d 7c 8f e5 dc 77 27 8d ce 5c ec b0 d6 e3 99 c0 28 fc 49 7f c7 3d ef 54 55 0e 8d 0e 13 58 73 0b 73 85 6e 13 25 24 e5 cd ee 41 03 fc 84 0b 30 de 47 d0 17 56 a8 4b 8c 31 f4 63 94 da 73 5b 09 87 35 31 ca 53 00 00 01 00 45 e2 b0 98 ff 1b a8 22 37 0e 6e f3 06 41 de a6 91 05 6c 13 ee eb 80 c3 f0 e6 a7 d6 e0 66 69 35 13 e1 e3 fb 96 47 8f 0a 3b 9d c2 ec 65 ae 42 5f 4d 15 d6 43 3a c5 f9 a3 77 5a 00 76 9e 48 30 c3 33 63 0f e9 88 23 3a e9 d8 be e5 6d 36 d1 c4 b3 0d 37 21 03 41 c2 8a ee bd a4 63 e4 61 21 dd 02 5b be d2 a0 aa 42 f6 a9 25 9c 07 30 48 6c e9 dd 9b b5 39 68 c4 3c f2 80 1c 28 dd 84 75 21 df e1 7b 02 bc 60 c6 5b a9 53 53 f0 9c 3b 5f 74 7e be 51 9e 63 aa 0d 00 81 4c 52 4a 5e 77 20 3d 39 3d 95 c5 fe 5e 98 98 69 ef 33 10 82 9b cd fc ba b2 db 25 13 8c 3b d5 7a 80 1f 68 09 f4 09 18 63 d7 ce e0 76 7d 4f f3 ca 16 87 c6 61 9b 04 18 b9 1d 7f 83 9a ef 2e 7c b5 29 4f 08 02 5a 9d bf 8e ae 83 c6 d2 bd b9 1a 50 9d 19 43 9d 54 f7 69 f6 b1 5f b6 7c 57 bd 5e 78 02 ae 8f 12 7c 21 1f 11 e3
    [DEBUG] 2018-08-22 22:40:58.115 [pool-3-thread-1] DHG1 - f:    72 72 c5 ef 15 61 84 ba 0f 6a 52 c2 f9 30 4c 18 10 96 70 82 dd b2 c4 64 93 11 33 82 3c 65 5f ff 65 ca 1c 14 3c 24 79 4b be 07 44 af 10 14 d0 2f 18 de 43 b8 62 3d ce 76 a5 2b 72 97 3a 23 d5 ea ba 19 c8 57 3e 95 50 0f 58 ef 8d 72 5c 67 8e ed 26 5b 7b 79 12 65 a8 5c 55 38 2d 4f 9c 61 b5 0f ca e5 ff ff 89 e6 38 61 dd e1 14 99 b9 da 35 5b a4 03 b4 da 9d 0b b0 de dd b2 8b cf e9 c2 c8 27
    [DEBUG] 2018-08-22 22:40:58.115 [pool-3-thread-1] DHG1 - sigH: 00 00 00 07 73 73 68 2d 64 73 73 00 00 00 28 56 df 13 55 74 78 e9 20 52 df e5 8a df e5 b4 51 7d ea 02 02 c0 6d d2 2a 35 a0 08 c7 29 f3 77 45 af e2 a6 99 80 a7 42 d3
    [DEBUG] 2018-08-22 22:40:58.115 [pool-3-thread-1] DHG1 - Send SSH_MSG_KEXDH_REPLY
    [DEBUG] 2018-08-22 22:40:58.115 [pool-3-thread-1] Nio2Session - Writing 1040 bytes
    [DEBUG] 2018-08-22 22:40:58.115 [pool-3-thread-1] ServerSession - Send SSH_MSG_NEWKEYS
    INFO: ssh_dss_verify: signature false
    [DEBUG] 2018-08-22 22:40:58.116 [pool-3-thread-1] Nio2Session - Writing 16 bytes
    INFO: Disconnecting from localhost port 8001

    com.jcraft.jsch.JSchException: verify: false

      at com.jcraft.jsch.Session.connect(Session.java:330)
      at com.jcraft.jsch.Session.connect(Session.java:183)

Looks like it's during key exchange: https://github.com/is/jsch/blob/master/src/main/java/com/jcraft/jsch/Session.java#L330 — Kenster, Aug 22 '18 at 15:08
What version of JSch? + Show us [JSch log file](https://stackoverflow.com/q/47411185/850848). — Martin Prikryl, Aug 22 '18 at 15:50
Hi @MartinPrikryl - I have added the JSch Logger output to the question. — Sachin Lala, Aug 22 '18 at 17:16
The suggestion for JSch log was very helpful - here is the exact point where an error is reported before the 'verify' signature exception: ```SimpleGeneratorHostKeyProvider - Unable to read key target/sftp/TEST.pk: java.io.StreamCorruptedException: invalid stream header: 2D2D2D2D```. I am checking further what this means. Any pointer on this would be good. — Sachin Lala, Aug 22 '18 at 17:19
But it looks like that Mina generated a new key. So it resumed from that problem. So it is possible the the problem is elsewhere. Try forcing JSch to use a different kex. Why do you even force `diffie-hellman-group1-sha1`? — Martin Prikryl, Aug 22 '18 at 18:27
I had checked for that and referred this post from you - https://stackoverflow.com/questions/44076349/how-to-set-kex-on-jsch-session-when-using-apache-vfs. Please can you suggest which other values of kex can I use ? Meanwhile I am looking for this in JSch documentation also. — Sachin Lala, Aug 22 '18 at 18:52
I tried all other values for kex (reference: http://www.jcraft.com/jsch/) and I get error "JSchException: Algorithm negotiation fail". With kex = "diffie-hellman-group1-sha1", I do not get that error but the key verification fails and finally I get 'verify' error. — Sachin Lala, Aug 22 '18 at 19:13
Yes Martin. Still getting the same error though. The log output is similar. — Sachin Lala, Aug 23 '18 at 11:22
@SachinLala resolved this issue? same problem for me as well — codeSeeker, Dec 21 '21 at 04:12

score 2 · Answer 1 · answered Oct 27 '22 at 11:31

I ran into the same issue with JSch Version 0.1.54. Solved it by setting the algorithm for the KeyPairProvider to RSA. In my case sshd was using edcsa keypairs which Jsch couldn't handle.

SshServer sshd = SshServer.setUpDefaultServer();

sshd.setHost("0.0.0.0");
sshd.setPort(2222);

// sets the host's private keys used for key exchange with clients as well as representing the host's "identities".
AbstractGeneratorHostKeyProvider hostKeyProvider =
        new SimpleGeneratorHostKeyProvider(new File(authorizeKeys).toPath());

// RSA-Algorithm for JSCH 0.1.54
hostKeyProvider.setAlgorithm("RSA");
sshd.setKeyPairProvider(hostKeyProvider);

sshd.setPasswordAuthenticator(new Auth(dataSource));

SftpSubsystemFactory factory = new SftpSubsystemFactory.Builder().build();
sshd.setSubsystemFactories(Collections.singletonList(factory));

sshd.start();

JSchException: verify: false during local testing with Apache Mina SSHD server

1 Answers1