Unable to use private/public keys with Jsch

Question

On a linux system I create ssh keys through ssh-keygen and copy the public key to a remote host via ssh-copy-id ftpuser@192.168.56.99. The connection works as expected - I can ssh from my host to the remote system using the generated keys. I have sshd running with DEBUG on the remote host. On the ssh test I see in authlog

Sep 21 13:16:15 vagrant sshd[2315]: debug1: attempt 1 failures 0 [preauth]
Sep 21 13:16:15 vagrant sshd[2315]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:P6REREG/SHYaPU3e/EPJ1xROFRw+9vzrr0p1frf278w [preauth]
Sep 21 13:16:15 vagrant sshd[2315]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
Sep 21 13:16:15 vagrant sshd[2315]: debug1: trying public key file /home/ftpuser/.ssh/authorized_keys
Sep 21 13:16:15 vagrant sshd[2315]: debug1: fd 5 clearing O_NONBLOCK
Sep 21 13:16:15 vagrant sshd[2315]: debug1: /home/ftpuser/.ssh/authorized_keys:5: matching key found: RSA SHA256:P6REREG/SHYaPU3e/EPJ1xROFRw+9vzrr0p1frf278w`

using the same user credentials I attempt the same connection fron java coe using Jsch 0.1.67. Specifically I use jsch.addIdentity(privateKey, pubKey, null); with the private and public keys set to the standard .ssh/id_rsa & .ssh/id_rsa.pub. In the remote authlog I see

Sep 21 13:16:50 vagrant sshd[2419]: debug1: attempt 1 failures 0 [preauth]
Sep 21 13:16:50 vagrant sshd[2419]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:dhsK1JICUVncZmXW6MIFi0/fb2mJTetz8/igyP+kYXY [preauth]
Sep 21 13:16:50 vagrant sshd[2419]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
Sep 21 13:16:50 vagrant sshd[2419]: debug1: trying public key file /home/ftpuser/.ssh/authorized_keys
Sep 21 13:16:50 vagrant sshd[2419]: debug1: fd 5 clearing O_NONBLOCK
Sep 21 13:16:50 vagrant sshd[2419]: debug1: restore_uid: 0/0
Sep 21 13:16:50 vagrant sshd[2419]: debug1: temporarily_use_uid: 1001/1001 (e=0/0)
Sep 21 13:16:50 vagrant sshd[2419]: debug1: trying public key file /home/ftpuser/.ssh/authorized_keys2
Sep 21 13:16:50 vagrant sshd[2419]: debug1: Could not open authorized keys '/home/ftpuser/.ssh/authorized_keys2': No such file or directory

so a different public key is used which fails. I do not understand where Jsch is getting this key from.I have stepped through the jsch.addIdentity call. I can see my publickey file being read but not too sure how Jsch transforms this before sending to the remote ssh server.

My code is very simple - with one exception - it is meant to run on both linux and z/os systems - to date all testing on linux only - the z/os aspects can be ignored

    ByteArrayOutputStream   responseStream  = null;
    ChannelExec                     channel                 = null;
    Session                             session                 = null;
    UserInfo                            ui                          = null;

    try
    {
        if (shellParms.getPassword() != null)
            JSch.setConfig("UserAuth", "password");
        else
        {
            JSch.setConfig("UserAuth", "privatekey");
        }
        
        JSch.setConfig("preferredAuthentications","gssapi-with-mic,hostbased,publickey,keyboard-interactive,password") ;
        JSch.setConfig("StrictHostKeyChecking", "no");
        JSch.setConfig ("userauth.gssapi-with-mic", "no") ;

        JSch jsch = new JSch();

        
        if (shellParms.getPassword() == null)
            {
            
            jsch.setKnownHosts(System.getProperty("user.home") + "/.ssh/known_hosts");
            jsch.addIdentity(privateKey, pubKey, null);
            }

        session = jsch.getSession(shellParms.getUserid(), shellParms.getHost(), shellParms.getPort());

        ui          = new PantgwynUserInfo(shellParms.getPassword(),shellParms.getPassphrase());
        session.setUserInfo(ui);
        
    
        session.connect();

        for (String cmd : shellParms.getCommands())
        {
            log.info("sending command:" + cmd);

            channel = (ChannelExec) session.openChannel("exec");
            channel.setCommand(cmd);

            responseStream = new ByteArrayOutputStream();
            channel.setOutputStream(responseStream);
            channel.connect();

            while (channel.isConnected())
            {
                Thread.sleep(100);
            }
            responseStream.flush();
            String responseString = null;

                responseString = new String(responseStream.toByteArray());


            System.out.println(responseString);

    }
    catch (Exception e)
    {
        System.out.println(e);
    }

    finally
    {
        if (session != null)
        {
            session.disconnect();
        }
        if (channel != null)
        {
            channel.disconnect();
        }

        silentClose(responseStream);
    }

    return 0;

}

I have tried lots of variations from stackoverflow questions/answers and elsewhere - but cannot determine why ssh command works and Jsch fails. Any suggestions welcome.

further..... keys on the sending host

vagrant@vagrant:~/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIG4gIBAAKCAYEA10HhTsNZ1gHc5exM56eBmzYBy0BHBLlJTCkySSu/Psf5YSP0
EBu/cfXg3ACbEnKz4eOTkDBhR8MDDfn5Ppv1U8MTyvzaaq0+I2FNSHmjHTtHjELb
fWn1qA9D5m3tvYrHPcakDVcDKdCqXD8x0qAnVR4rg5A7J4TK9bNr8CzMQJ5Nm1UH
vueSZyvP2SH6+WFusnRDdiNtfPdu0DQKmF5fOFIdFWTlgSGrULcw3oI9RbzruSBW
G7gj/fAFkcK7v+WyTExNJsvET7U8eS/m9wTXBN/e1OhBA0MP2fK0ZpULjhSoNtY1
z5k/4OoSOU993bgD2q7BKmjQY51fXj3+j3L7fugIf5UKD7gwPnSgM1jzuFUced94
u2cvdrzPDULVFxBk7y9DZdxI19jw5eBh1ThBK7iyEjLa+GdfXnyUCv3HNTlZswY7
PP8vF0sgSQC1VXgXLVYBb0U2eSdu8Hru/79+h+AQY6L01/o/6bMRCHWO824rIGlm
fnjRWq+bEnEQxLcPAgMBAAECggGAFWEArJ7wVDX5J4jRloxnbe/uO66Vnx177ymE
SgojQ2v/E6vLeLIY0Iu4GoGg5TMpNH0y0bZMYyE2M3QpUhORSRFt7NIyKzgrnL30
PAeAsM2LbJ3TSOB2OovRlZhDbXjUEwmgj4ad1NBZqzHHlAC+B1EoxzdS+LjSo5Z/
WOpKGvzd/lhynX5IZyDN0uXyFESeBvFPJfOc0zWL9vfEOZ/d2y0koFRWCv46Epkv
LFpJFZ0O2GMiyjv+ryDgnLp3hTad0QBkSDoMUkcbeVX/s2IWRB98k+JqxRqN17ig
S8iulFmNxTT+HP4Vxv1m4gocvbISy96aQlvK2DWpOAVBqvdJIlFclGhdyJ3RShZe
qfPwgAr3T8qufth15fAr0mxhWk6DNXEDij4S+HCbFnw6hSB5GzWDvgEarp2+Jl1c
m/nVuNkMBeXjblsrN73Kugx7YTgMzKyyby7f5rAViTg9wj7OqI/FuRo16k5xpDzm
mlpQQVAoI6Qn3n/jCdKc4Xu9MYcRAoHBAPwjzwVj85TJJKPZiiWYR6nN942iv9RP
1XVVWzIJfTaayyfw9YJs4FkufQadOY3r2dTAkjRu7m3TTzsV+uIw8Qnz6SPLJ/Z9
L9LRNz6/fxX0zSh7Y84uqUsKRNOPQlSQOOZx9cNmnUovWxfpLkAcc6CeWznKC6s7
QOTUjBVTl+qJCFGv8J5/zf/pL8hVXEVx9AfDq+IDBWr2s0hs/G6RzPK/JxXzQMHr
IuXC82Fjlan0aZPOgupcq1+Owwbf3MpnhwKBwQDajYVNt7Zx3oixhz+evF/qUfHX
96T+IO6NvEz1G0EOg2p/tCeQOTQveATCpRmRQAz/78BnwZfcrUGqoUgQLNaEbiDw
2h54lRxZPsYdrPwgm5ECQkks+gnfKIAiLI/Icd/4rxsV1IauSKeoKCrWUXq5/9Un
Rb1WrGxYPrS5RoizoXTHj0SXjUeR0SWQtTPyWiVSHPf9dJH7bjKAEIE83ye3QAy0
nbCGr71gf/PVrgMOOmqtRtwUfkGGBE1I28klhjkCgcANNS7+AEtdKuAxeQ7Eg2KV
oYVrNPBJhdkPqWX6jAa0Go2zzOp/Z4alBUtlUk0WgxlJDMFb38e7lwsadD9NI/Us
aUt4JYc1YT9lErKLJerZUpaAnV4QCd+yX5pVXrbByUBBygxurOxmW26xJPTYROVF
r6XltBDCansuwXeJEnTtwzndVZMMKnO3CRcIrngD50E6OuTBFRlujfe8PoFGpXqP
6LV6b+Cfh9qvIHQxUM8hNP1m0bWH40zS156duJJPQ/cCgcAUXZmta1Ah/kWonVzN
UupxMF+j61zBnZn9NS3KrVZ7nr1e1w/Uva/iOIHhDXd7dIeBlfrM8FpRYwe6ebr4
XuVCg+yn5Ptv6x0wJ8xYWZVJCJYTqs+c1FP1KpX+GT7ww8PGLbMNbrd6KCUPY2bS
f9c6298mALarC/gwpO88UJlOe94g9nXC1ZR0vxOMD4aer83IgBCP2rv7vQIRsvgI
DxdpWRuV/RfFBT1Vb7buE4APZFwqd27srfM3JNF615g/2ekCgcBSO6zScmkEwUGj
eTu9lhHWre2IsN6nnUmfCsl0GpJ+hhLaB9DX3Qdc2Ssu3ez5TAbaOGN9ngrvxGNH
oY8lZLUAUwmjr85nr0hgA/eBvdiwnrzIjHxjA+jRqHI/BItZrpZfkSIC2V1DNLHD
1wdeBR0412PnMQgWNL+ltmgTFLAMX9dbdDMySOFcPjbsyrY7xLn4lsLkH6agqfuC
2CI4Phk9ki/Bh75AuhaSinUAzjEDJahLotFlfVJbWRNOCE6S3VQ=
-----END RSA PRIVATE KEY-----

vagrant@vagrant:~/.ssh$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXQeFOw1nWAdzl7Eznp4GbNgHLQEcEuUlMKTJJK78+x/lhI/QQG79x9eDcAJsScrPh45OQMGFHwwMN+fk+m/VTwxPK/NpqrT4jYU1IeaMdO0eMQtt9afWoD0Pmbe29isc9xqQNVwMp0KpcPzHSoCdVHiuDkDsnhMr1s2vwLMxAnk2bVQe+55JnK8/ZIfr5YW6ydEN2I218927QNAqYXl84Uh0VZOWBIatQtzDegj1FvOu5IFYbuCP98AWRwru/5bJMTE0my8RPtTx5L+b3BNcE397U6EEDQw/Z8rRmlQuOFKg21jXPmT/g6hI5T33duAParsEqaNBjnV9ePf6Pcvt+6Ah/lQoPuDA+dKAzWPO4VRx533i7Zy92vM8NQtUXEGTvL0Nl3EjX2PDl4GHVOEEruLISMtr4Z19efJQK/cc1OVmzBjs8/y8XSyBJALVVeBctVgFvRTZ5J27weu7/v36H4BBjovTX+j/psxEIdY7zbisgaWZ+eNFar5sScRDEtw8= vagrant@vagrant

on the receiving host

ftpuser@vagrant:~/.ssh$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ15ARPZZLGcl9PD8X8XBNiqSHO8FjN+c/PouLmvs3gLQS6Vc6AYr0R073gf6760+YK514X5amNsmESVKfFD0URRzF5WWz5n97AZ0IQd6o5Q1QFvhqsVmN/5ZodZGMTf28sPvg+t7PT/ZsohukhvlIzzzKJ3MycDAhYYK36MW/Rk0E0JpN39d63oCSCa1lh615DqyF+3jIM1mPQ3Moho+UufrXSFxutaDNd48aznSmczSC33a6Uez/A6yIEnpcqSUdlVxTFfe6hf4fdEfdW+SH5CaBvtmNcW5dOYPtfEq7AnfS0ddRIghQtbYTcj0g8X7TXCl1NPNSjLlUO9zIem7pH1IDrJCfFV3id6ozBPfafwpOFb/e3JC15jeBjgRFCbnDXeOrFzQY1jHban97nt9VyEVfzHJclFMDTsRwOeElxtg+XyBgYWEgFfvhlQmDE3jyXiMpGihfJi48wYPl1/B2nrcTpbLef9why9KOiJWeZaGYaquf7GKpfZTDqAe/Kck= dave@pantgwyn2010

the Jsch logs from a failed connection:

Connecting to 192.168.56.99 port 22
Connection established
Remote version string: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
Local version string: SSH-2.0-JSCH-0.1.67
CheckCiphers: chacha20-poly1305@openssh.com
chacha20-poly1305@openssh.com is not available.
cipher.c2s proposal before removing unavailable algos is: aes128- 
ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256- 
gcm@openssh.com,chacha20-poly1305@openssh.com
cipher.s2c proposal before removing unavailable algos is: aes128- 
ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256- 
gcm@openssh.com,chacha20-poly1305@openssh.com
cipher.c2s proposal after removing unavailable algos is: aes128- 
ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256- 
gcm@openssh.com
cipher.s2c proposal after removing unavailable algos is: aes128- 
ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256- 
gcm@openssh.com
CheckKexes: curve25519-sha256,curve25519- 
sha256@libssh.org,curve448-sha512
curve25519-sha256 is not available.
curve25519-sha256@libssh.org is not available.
curve448-sha512 is not available.
kex proposal before removing unavailable algos is: curve25519- 
sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2- 
nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- 
sha256,diffie-hellman-group16-sha512,diffie-hellman-group18- 
sha512,diffie-hellman-group14-sha256
kex proposal after removing unavailable algos is: ecdh-sha2- 
nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman- 
group-exchange-sha256,diffie-hellman-group16-sha512,diffie- 
hellman-group18-sha512,diffie-hellman-group14-sha256
CheckSignatures: ssh-ed25519,ssh-ed448
ssh-ed25519 is not available.
ssh-ed448 is not available.
server_host_key proposal before removing unavailable algos is: 
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2- 
nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
server_host_key proposal after removing unavailable algos is: 
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa- 
sha2-512,rsa-sha2-256,ssh-rsa
server_host_key proposal before known_host reordering is: ecdsa- 
sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2- 
512,rsa-sha2-256,ssh-rsa
server_host_key proposal after known_host reordering is: ecdsa- 
sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2- 
512,rsa-sha2-256,ssh-rsa
SSH_MSG_KEXINIT sent
SSH_MSG_KEXINIT received
kex: server: curve25519-sha256,curve25519-sha256@libssh.org,ecdh- 
sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie- 
hellman-group-exchange-sha256,diffie-hellman-group16- 
sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
kex: server: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2- 
nistp256,ssh-ed25519
kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192- 
ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
kex: server: chacha20-poly1305@openssh.com,aes128-ctr,aes192- 
ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
kex: server: umac-64-etm@openssh.com,umac-128- 
etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512- 
etm@openssh.com,hmac-sha1-etm@openssh.com,umac- 
64@openssh.com,umac- 
128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
kex: server: umac-64-etm@openssh.com,umac-128- 
etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512- 
etm@openssh.com,hmac-sha1-etm@openssh.com,umac- 
64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2- 
512,hmac-sha1
kex: server: none,zlib@openssh.com
kex: server: none,zlib@openssh.com
kex: server: 
kex: server: 
kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2- 
nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman- 
group16-sha512,diffie-hellman-group18-sha512,diffie-hellman- 
group14-sha256,ext-info-c
kex: client: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2- 
nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
kex: client: aes128-ctr,aes192-ctr,aes256-ctr,aes128- 
gcm@openssh.com,aes256-gcm@openssh.com
kex: client: aes128-ctr,aes192-ctr,aes256-ctr,aes128- 
gcm@openssh.com,aes256-gcm@openssh.com
kex: client: hmac-sha2-256-etm@openssh.com,hmac-sha2-512- 
etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2- 
512,hmac-sha1
kex: client: hmac-sha2-256-etm@openssh.com,hmac-sha2-512- 
etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2- 
512,hmac-sha1
kex: client: none
kex: client: none
kex: client: 
kex: client: 
kex: algorithm: ecdh-sha2-nistp256
kex: host key algorithm: ecdsa-sha2-nistp256
kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256- 
etm@openssh.com compression: none
kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256- 
etm@openssh.com compression: none
SSH_MSG_KEX_ECDH_INIT sent
expecting SSH_MSG_KEX_ECDH_REPLY
ssh_ecdsa_verify: ecdsa-sha2-nistp256 signature true
Host '192.168.56.99' is known and matches the ECDSA host key
SSH_MSG_NEWKEYS sent
SSH_MSG_NEWKEYS received
SSH_MSG_SERVICE_REQUEST sent
SSH_MSG_EXT_INFO received
server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh- 
rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa- 
sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2- 
nistp256@openssh.com>
SSH_MSG_SERVICE_ACCEPT received
Authentications that can continue: gssapi-with- 
mic,publickey,keyboard-interactive,password
Next authentication method: gssapi-with-mic
failed to load gssapi-with-mic method
Authentications that can continue: publickey,keyboard- 
interactive,password
Next authentication method: publickey
PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa- 
sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Signature algorithms unavailable for non-agent identities = [ssh-ed25519, ssh-ed448]
PubkeyAcceptedAlgorithms in server-sig-algs = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, 
rsa-sha2-256, ssh-rsa]
rsa-sha2-512 preauth failure
rsa-sha2-256 preauth failure
ssh-rsa preauth failure
Authentications that can continue: password
Next authentication method: password
Disconnecting from 192.168.56.99 port 22
com.jcraft.jsch.JSchException: Auth cancel

Answer 1

A huge thank you and much respect to dave_thompson_085

Using

ssh -oIdentitiesOnly=yes -i~/.ssh/id_rsa  

confirmed the assertion from Dave Thompson - the ssh command was not using the keys in ~/.ssh. It seems there was a stale key in the ssh agent. I cannot explain this but I removed this and for good measure regenerated and copied the keys and now both ssh command and Jsch code work as expected.