Com.jcraft.jsch.jschexception: UnknownHostKey

java

ssh

host-key

jsch

byNikita Barsukov·Nov 5, 2024

In a testing phase of your project, you may want to bypass the com.jcraft.jsch.JSchException: UnknownHostKey without any obstacles. This can be done with JSch's method setHostKeyRepository implementing an HostKeyRepository returning HostKeyRepository.OK. The real-life use of this is as follows:

import com.jcraft.jsch.JSch;
import com.jcraft.jsch.Session;

JSch jsch = new JSch();
jsch.setHostKeyRepository(new com.jcraft.jsch.HostKeyRepository() {
    // Making the host key check always return OK -> the key to our freedom
    public int check(String host, byte[] key) { return HostKeyRepository.OK; }
    // Nothing to see here, move along
    public void add(com.jcraft.jsch.HostKey hostKey, com.jcraft.jsch.UserInfo ui) {}
    public void remove(String host, String type, byte[] key) {}
    public com.jcraft.jsch.HostKey[] getHostKey() { return null; }
    public com.jcraft.jsch.HostKey[] getHostKey(String host, String type) { return null; }
});

Session session = jsch.getSession("username", "host", 22);
session.setPassword("password");
sesssion.connect();

Please note: By allowing all host keys, we're disabling the usual host key verification process. This can expose you to man-in-the-middle attacks. Consider this solution only as a transitory fix mainly for testing environments, not for secure production settings.

Integrating SSH public key: The right way

You want to connect SSH to your server, and that server is like a house. Just like you can't enter without the right keys, similarly in SSH connections, you need to have the right host key to make the connection. This key can be added to the ~/.ssh/known_hosts file which makes the server trusted. For retrieving the host's public key, ssh-keyscan can be utilized:

ssh-keyscan -t rsa hostname >> ~/.ssh/known_hosts

Words of wisdom: Do this only if you trust the host because this is like trusting a stranger on the road. Be careful of spoofing attacks.

Striking a balance: Quick fix vs Security

In development environments, maintaining the known_hosts can be quite tedious. Now, here's where Mr. StrictHostKeyChecking might come your way as a savior. Just set him to no within java.util.Properties:

Properties config = new java.util.Properties(); 
config.put("StrictHostKeyChecking", "no");
session.setConfig(config);

But remember, just like you don't disclose your banking pin to everyone, you shouldn't keep StrictHostKeyChecking to no for the production system. Keep security intact always!

Managing host keys: To trust or not to trust

When JSch and SSH keys are playing the main characters in your script, HostKeyRepository and KnownHosts enters as a lead supporting role. These classes help you in being the boss of your host key management. Get your hands on setKnownHosts for more power.

Are you a Windows user? Don't worry, we got you covered. Use tools like cygwin for handling SSH keys, especially when they're filmstars moving between systems.

JCraft's role and addressing issues

JSch supposedly does everything you want but does it, really? If you experience challenges with JSch, don't hesitate to approach JCraft. They might even include your proposed enhancements or bug fixes in their next iteration of JSch. The cryptic texts of JSch examples in source might also give you some lightbulb moments.

Handling exceptions without losing your mind

UnknownHostKey, the infamous exception is like a traffic signal. It disrupts your journey but is there for a good reason. Balance is key here. Temporary solutions might expedite development but not at the cost of security failings in your production environment.

explain-codes / Java / Com.jcraft.jsch.jschexception: UnknownHostKey

Linked

Accept server's self-signed SSL certificate in Java client



Connection Java - MySQL : Public Key Retrieval is not allowed



How do I find out what keystore my JVM is using?



Java HTTPS Client Certificate Authentication



Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?



Unable to find valid certification path to requested target - error even after cert imported



Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



Integrating SSH public key: The right way Striking a balance: Quick fix vs Security Managing host keys: To trust or not to trust JCraft's role and addressing issues Handling exceptions without losing your mind