Skip to content

Instantly share code, notes, and snippets.

@niclasnilsson
Last active June 17, 2021 13:30
Show Gist options
  • Save niclasnilsson/038f20bee1bd19e970d59ba35732e262 to your computer and use it in GitHub Desktop.
Save niclasnilsson/038f20bee1bd19e970d59ba35732e262 to your computer and use it in GitHub Desktop.
Example ~/.ssh/config for dealing with JSch and public key authentication with encrypted (password protected) keys.
# Example ~/.ssh/config for dealing with JSch problems regarding
# ssh public key authentication with encrypted (password protected) keys.
#
# First, a problem description and a couple of solutions that worked for me,
# (in March 2018 on MacOS High Sierra) and in the bottom youäll find an example
# config that doesn't interfere with JSch's use of the ssh-agent.
#
#
# Problem description:
# --------------------
# Jsch, a widely used Java implementation of SSH2, has a problem handling
# public key authentication with encrypted (password protected) keys. Even if
# you use an ssh-agent, Jsch picks up the key file from the ~/.ssh/config,
# tries to use it directly itself, and fails. The described solutions describes
# how to make sure Jsch doesn't read the key, and instead let ssh-agent handle it.
#
# Example exception:
#
# Error building classpath. [repo url]: USERAUTH fail
# org.eclipse.jgit.api.errors.TransportException: [your repo url]: USERAUTH fail
# at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:248)
# ...
# Caused by: org.eclipse.jgit.errors.TransportException: [repo url]: USERAUTH fail
# at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:172)
# ...
# Caused by: com.jcraft.jsch.JSchException: USERAUTH fail
# at com.jcraft.jsch.UserAuthPublicKey.start(UserAuthPublicKey.java:119)
#
#
# Solution: remove ~/.ssh/config
# ------------------------------
# If you don't need ~/.ssh/config for other things, you can actually remove the file entierly.
# If you need it, see next section.
#
# A solution with ~/.ssh/config
# -----------------------------
# If you need ~/.ssh/config, then you have to hide the IdentityFile from JSch.
# The problem is that JSch seems to read (parts) of the ~/.ssh/config,
# so we need to craft it a bit differently, to make JSch let the ssh-agent do
# all the key handling.
#
# Remove the IdentityFile option on all sections that JSch will look at. This
# includes "Host *" and unfortunately also, incorrectly, filters like
# "Host *,!github.com". Jsch seems to ignore that and pick up the key anyway.
#
# ... and add your key to the ssh-agent:
# --------------------------------------
# Next, make sure your ssh-agent is running (ps aux | grep ssh-agent). Then
# see if you have your key in there, using ssh-add -l
#
# If it says something like:
#
# % ssh-add -l
# 4096 SHA256:wlVK ... [user]/.ssh/id_rsa (RSA)
#
# then you have a key, and things will hopefully work. However, if it says:
#
# % ssh-add -l
# The agent has no identities.
#
# then you need to add your ssh key to the ssh-agent. You can do that with:
#
# % ssh-add ~/.ssh/id_rsa
# Enter passphrase for .ssh/id_rsa:
# Identity added: .ssh/id_rsa
#
# This, combined with a ~/.ssh/config that makes Jsch not pick up the ssh key,
# worked for me.
#
# For more info on using ssh-agent:
# https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/#adding-your-ssh-key-to-the-ssh-agent
#
# Secondary failure:
# ------------------
#
# If you instead see errors with "Auth fail" instead of "USERAUTH fail":
#
# Error building classpath. [repo url]: Auth fail
# org.eclipse.jgit.api.errors.TransportException: [repo url]: Auth fail
# at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:248)
# ...
# Caused by: org.eclipse.jgit.errors.TransportException: [repo url]: Auth fail
# at org.eclipse.jgit.transport.JSchConfigSessionFactory.getSession(JSchConfigSessionFactory.java:172)
# ...
# Caused by: com.jcraft.jsch.JSchException: Auth fail
# at com.jcraft.jsch.Session.connect(Session.java:519)
#
# that could mean that your ssh-agent is not providing the key to JSch. Test it with:
#
# % ssh-add -l
#
# The output should contain a line with the key you want to use. If it instead outputs
# "The agent has no identities.", see above on how to add a key.
#
#
# Example config:
#
Host github.com
# No IdentityFile here. JSch fails.
Host example.com
# You can have it on hosts that you don't use a JSch tool chain on.
IdentityFile ~/.ssh/id_rsa
Host *
AddKeysToAgent yes
UseKeychain yes
# No IdentityFile in * either. JSch fails.
# IdentityFile ~/.ssh/id_rsa
@frisi
Copy link

frisi commented Jun 17, 2021

thanks for the explanation. unfortunately the config does not work for me (ubuntu 20.04)
ssh-add -l lists two private keys (corresponding pub-keys are both listed in my github profile)

still get Auth fail 😞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment