Last active
June 17, 2021 13:30
-
-
Save niclasnilsson/038f20bee1bd19e970d59ba35732e262 to your computer and use it in GitHub Desktop.
Example ~/.ssh/config for dealing with JSch and public key authentication with encrypted (password protected) keys.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Example ~/.ssh/config for dealing with JSch problems regarding | |
| # ssh public key authentication with encrypted (password protected) keys. | |
| # | |
| # First, a problem description and a couple of solutions that worked for me, | |
| # (in March 2018 on MacOS High Sierra) and in the bottom youäll find an example | |
| # config that doesn't interfere with JSch's use of the ssh-agent. | |
| # | |
| # | |
| # Problem description: | |
| # -------------------- | |
| # Jsch, a widely used Java implementation of SSH2, has a problem handling | |
| # public key authentication with encrypted (password protected) keys. Even if | |
| # you use an ssh-agent, Jsch picks up the key file from the ~/.ssh/config, | |
| # tries to use it directly itself, and fails. The described solutions describes | |
| # how to make sure Jsch doesn't read the key, and instead let ssh-agent handle it. | |
| # | |
| # Example exception: | |
| # | |
| # Error building classpath. [repo url]: USERAUTH fail | |
| # org.eclipse.jgit.api.errors.TransportException: [your repo url]: USERAUTH fail | |
| # at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:248) | |
| # ... | |
| # Caused by: org.eclipse.jgit.errors.TransportException: [repo url]: USERAUTH fail | |
| # at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:172) | |
| # ... | |
| # Caused by: com.jcraft.jsch.JSchException: USERAUTH fail | |
| # at com.jcraft.jsch.UserAuthPublicKey.start(UserAuthPublicKey.java:119) | |
| # | |
| # | |
| # Solution: remove ~/.ssh/config | |
| # ------------------------------ | |
| # If you don't need ~/.ssh/config for other things, you can actually remove the file entierly. | |
| # If you need it, see next section. | |
| # | |
| # A solution with ~/.ssh/config | |
| # ----------------------------- | |
| # If you need ~/.ssh/config, then you have to hide the IdentityFile from JSch. | |
| # The problem is that JSch seems to read (parts) of the ~/.ssh/config, | |
| # so we need to craft it a bit differently, to make JSch let the ssh-agent do | |
| # all the key handling. | |
| # | |
| # Remove the IdentityFile option on all sections that JSch will look at. This | |
| # includes "Host *" and unfortunately also, incorrectly, filters like | |
| # "Host *,!github.com". Jsch seems to ignore that and pick up the key anyway. | |
| # | |
| # ... and add your key to the ssh-agent: | |
| # -------------------------------------- | |
| # Next, make sure your ssh-agent is running (ps aux | grep ssh-agent). Then | |
| # see if you have your key in there, using ssh-add -l | |
| # | |
| # If it says something like: | |
| # | |
| # % ssh-add -l | |
| # 4096 SHA256:wlVK ... [user]/.ssh/id_rsa (RSA) | |
| # | |
| # then you have a key, and things will hopefully work. However, if it says: | |
| # | |
| # % ssh-add -l | |
| # The agent has no identities. | |
| # | |
| # then you need to add your ssh key to the ssh-agent. You can do that with: | |
| # | |
| # % ssh-add ~/.ssh/id_rsa | |
| # Enter passphrase for .ssh/id_rsa: | |
| # Identity added: .ssh/id_rsa | |
| # | |
| # This, combined with a ~/.ssh/config that makes Jsch not pick up the ssh key, | |
| # worked for me. | |
| # | |
| # For more info on using ssh-agent: | |
| # https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/#adding-your-ssh-key-to-the-ssh-agent | |
| # | |
| # Secondary failure: | |
| # ------------------ | |
| # | |
| # If you instead see errors with "Auth fail" instead of "USERAUTH fail": | |
| # | |
| # Error building classpath. [repo url]: Auth fail | |
| # org.eclipse.jgit.api.errors.TransportException: [repo url]: Auth fail | |
| # at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:248) | |
| # ... | |
| # Caused by: org.eclipse.jgit.errors.TransportException: [repo url]: Auth fail | |
| # at org.eclipse.jgit.transport.JSchConfigSessionFactory.getSession(JSchConfigSessionFactory.java:172) | |
| # ... | |
| # Caused by: com.jcraft.jsch.JSchException: Auth fail | |
| # at com.jcraft.jsch.Session.connect(Session.java:519) | |
| # | |
| # that could mean that your ssh-agent is not providing the key to JSch. Test it with: | |
| # | |
| # % ssh-add -l | |
| # | |
| # The output should contain a line with the key you want to use. If it instead outputs | |
| # "The agent has no identities.", see above on how to add a key. | |
| # | |
| # | |
| # Example config: | |
| # | |
| Host github.com | |
| # No IdentityFile here. JSch fails. | |
| Host example.com | |
| # You can have it on hosts that you don't use a JSch tool chain on. | |
| IdentityFile ~/.ssh/id_rsa | |
| Host * | |
| AddKeysToAgent yes | |
| UseKeychain yes | |
| # No IdentityFile in * either. JSch fails. | |
| # IdentityFile ~/.ssh/id_rsa |
thanks for the explanation. unfortunately the config does not work for me (ubuntu 20.04)
ssh-add -l lists two private keys (corresponding pub-keys are both listed in my github profile)
still get Auth fail 😞
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for this! 💯