com.jcraft.jsch.JSchException: Auth cancel

Question

I'm trying to write an Ant script to retrieve an URL via port tunnelling.

It works great when I use a password (the names xxxx'd out for privacy):

<project default="main">
  <target name="main">
    <sshsession host="xxxx"
    username="xxxx"
    password="xxxx">
      <LocalTunnel lport="1080" rhost="xxxx" rport="80"/>
      <sequential>
        <get src="http://localhost:1080/xxxx" dest="/tmp/xxxx"/>
      </sequential>
    </sshsession>
  </target>
</project>

But it doesn't work when I use a keyfile, like this:

    <sshsession host="xxxx"
    username="xxxx"
    keyfile="/Users/xxxx/.ssh/id_dsa"
    passphrase="xxxx">
      <LocalTunnel lport="1080" rhost="xxxx" rport="80"/>
      <sequential>
        <get src="http://localhost:1080/xxxx" dest="/tmp/xxxx"/>
      </sequential>
    </sshsession>

I get this exception:

/tmp/build.xml:8: com.jcraft.jsch.JSchException: Auth cancel
    at com.jcraft.jsch.Session.connect(Session.java:451)
    at com.jcraft.jsch.Session.connect(Session.java:150)
    at org.apache.tools.ant.taskdefs.optional.ssh.SSHBase.openSession(SSHBase.java:223)

• I'm sure I'm using the correct keyfile (I've tried using the wrong name, which gives a legitimate FileNotFoundException).
• I can successfully ssh from the command line without being prompted for a password.
• I'm sure I'm using the correct passphrase for the keyfile.

What's the cause of this error and what can I do about it?

Answer 1

For some reason, jsch use a quite different authentication method.

TLDL; Create a rsa-sha2-512 key (using a PEM format).

ssh-keygen -t rsa-sha2-512 -m PEM -T '' -f ~/.ssh/id_rsa-sha2-512

In cases where you cantt easily change key type:

1. recreate a rsa key (using a PEM format).

   ssh-keygen -t rsa -m PEM -T '' -f ~/.ssh/id_rsa

2. configure ssh server to accept this method.

   sudo bash -c "echo 'PubkeyAcceptedAlgorithms +ssh-rsa' > /etc/ssh/sshd_config.d/ssh-rsa.conf"

3. Restart sshd server.

   sudo systemctl restart sshd

4. now, it works!

PS: JSCH supported types are: ssh-rsa, ssh-dss, ecdca-sha2-nistp256, ecdca-sha2-nistp384, ecdca-sha2-nistp521

https://unix.stackexchange.com/questions/721606/ssh-server-gives-userauth-pubkey-key-type-ssh-rsa-not-in-pubkeyacceptedalgorit

Answer 2

To get the jsch connection to work, you must specify the paths to both the known_hosts file and to the file containing the private key. This is done using the setKnownHosts and addIdentity methods.

        jsch.setKnownHosts("/path/to/.ssh/known_hosts");
        jsch.addIdentity("/path/to/.ssh/id_rsa");

If the key has a passphrase, you can add it to the addIdentity argument list:

        jsch.addIdentity("/path/to/.ssh/id_rsa", myPassPhrase);

See Javadocs

Answer 3

I had a similar Issue today. So i thought i will share my solution aswell. I got the same exception but the problem was in fact that i had a umlaut within my password. after choosing a new password without it everything worked fine.

Answer 4

I had the same issue while using sshexec task. I added passphrase attibute too and it worked fine. create a passphrase for your private key and add this as a attribute in your task. Also don't forget to convert your private key to open ssh format if you generated the key using puttygen on windows.

Answer 5

There is a brand new fork of Jsch out now. The exception handling is far more comprehensive. No more swallowing or defaulting. Head over to https://github.com/vngx/vngx-jsch to check it out. If something doesn't work the way you expect, please raise it as an issue, or send a pull request as we are actively maintaining it. We are also looking to get it up on the maven central repos soon.

Answer 6

I debugged the code. This was failing because my private key was failing authentication; JSch silently fell back to password authentication, which was canceled, because I didn't specify a password.

JSch error handling sucks a lot. Retrace your steps, regenerate a (separate) private key file, use ssh -i to guarantee you're using the right file, and keep your fingers crossed.