• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSch issue : com.jcraft.jsch.JSchException: Auth fail

 
Lalit Pawar
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi

We are using JSch apis for SFTP access.
In our current project we want to differentiate between normal login failure due to invalid credentials and login failure due to account has been locked.
Can someone suggest how to do ? Below is our code snippet

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
public Session getSFTPSession(String userID, String password, int port,
String hostIP) throws IBPPException {
LOGGER.info("In getFtpSession");
JSch jsch = new JSch();
Session sftpSession = null;

try {
sftpSession = jsch.getSession(userID, hostIP, port);
LOGGER.info("sftpSession" + sftpSession);
sftpSession.setPassword(password);
Properties config = new Properties();
config.put("StrictHostKeyChecking", "no");
sftpSession.setConfig(config);
sftpSession.setTimeout(10 * 60 * 1000);
sftpSession.connect();
LOGGER.info("SFT connection open");

} catch (JSchException jsche) {

LOGGER.info("Error creating SFTP session. Exception is "
+ jsche.getMessage());

throw new BusinessException(ExceptionConstants.INVALID_LOGON,
CLASS_NAME, "getSFTPSession");
}
return sftpSession;
}
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

 
K. Tsang
Bartender
Posts: 3509
16
Android Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch

Well when you try to connect with a locked user id, will the JSchException message different from a wrong password login? If so catch that message and throw your specific exception.

Or a better approach, do the user authentication with a separate POJO against the database or something.
 
Lalit Pawar
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We are getting same message i.e. com.jcraft.jsch.JSchException: Auth fail

So we are not sure how to differentiate that message. We are using version jsch-0.1.42.jar
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Lalit Pawar wrote:
So we are not sure how to differentiate that message.


It's over a year since I last looked at this but I don't think you can with any SSH client! Authentication is governed by http://www.ietf.org/rfc/rfc4252.txt and a failure to authenticate produces a return of SSH_MSG_USERAUTH_FAILURE regardless of the failure mode. I don't remember there being any field in the failure message to detail the reason.

In any authentication system it is advisable not to give a reason for a failure to authenticate since it could provide information to an attacker.

P.S. I'm not keen on your use of " config.put("StrictHostKeyChecking", "no")" since it weakens the mutual authentication.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic