Dale Anderson skribis: > Hi All, > > I am new to JSCH and would appreciate your help! I need to SFTP a file to > remote sshd server using JSCH. From the examples and online resources, > pasted below is the code I wrote for the purpose. I have excluded exception > handling etc. for readability. The code seems to work and transfers file to > our sftp server. I had couple of questions around the code. > > -------------------------------------- > Questions: > 1. In all the examples that I came across online the line > "Security.addProvider(new com.sun.crypto.provider.SunJCE());" ... is > commented. If I uncomment this line the program doesnt compile even though > my JDK is in the classpath. I understand that JSCH uses JCE for encryption. > So, if we comment this line, does it use any default JCE encryption > mechanism ? or is my code not secure for sftp file tranfer after this line > is commented?
I understand that this is the provider class for older (seperately
downloaded) versions of JCE. From Java 1.4 this provider (presumably
under another class name, or in some jar file which is not in the
default compiler classpath) is included in the JRE and used
automatically (if you don't choose another provider).
JSch will not use insecure connections if you don't change the options
to this aim. If it can't find a JCE implementation, you will get no
connection at all.
> 2. Is it okay to set "no" for "StrictHostKeyChecking" when transferring file
> to remote server using JSCH? Or does it make the sftp file transfer
> insecure?
It allows attackers to do a man-in-the-middle attack. This means that
they can pretend being your server, and JSch has no way to discover that
this is not the case.
If your attack model only includes passive attackers (i.e. which can
read but not change the data transmitted), and the DNS server is not
compromised, it is still secure, since after the key exchange everything
is strongly encrypted (and authenticated, too) (if you don't set options
to switch this off).
If your attack model allows attackers to intercept and alter network
packets, the attacker can pretend being the server to you, and then
connect to the original server pretending being you. If the session is
password authenticated, this will be successful, if you are using public
key authentication, the authentication to the original server is not
possible (as the private keys are not transmitted, only some data is
signed, and this includes the session ID, which will be different).
Thus, at least use public key authentication in this case.
(The attacker still can accept your data, but upload it (or anything
else) to the server.)
But better obtain the server's public key, put it into a known hosts
file, and provide this to JSch for checking.
> 3. Please go through my code below and let me know if I am missing anything
> from security point of view or in general?
>
> ----------------------------------------
> Code to transfer test file to remote sftp server:
>
> JSch jsch = new JSch();
> Session session = null;
> Channel channel = null;
> ChannelSftp c = null;
>
> session = jsch.getSession("USER1", "myserver.abc.com");
> session.setPassword("PASS1");
I hope this is not the real password :-)
> //Security.addProvider(new com.sun.crypto.provider.SunJCE());
>
> java.util.Properties config = new java.util.Properties();
> config.put("StrictHostKeyChecking", "no");
> session.setConfig(config);
You can write these 3 lines shorter as this:
session.setConfig("StrictHostKeyChecking", "no");
> session.connect();
>
> channel = session.openChannel("sftp");
> channel.connect();
> c = (ChannelSftp)channel;
> c.cd("/");
>
> File f = new File("myfile.test");
> FileInputStream fis = new FileInputStream(f);
> c.put(fis, f.getName());
You would want to close the stream after uploading, and disconnect
channel and session (if you don't want to upload more).
Apart from this (and the host key checking discussed above), it looks fine.
(Of course, I will not give any guarantee here.)
Paul
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ JSch-users mailing list JSch-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jsch-users
