Thankyou for the reply!
1. With regards to "StrictHostKeyChecking" are there any scenarios where it
might be better to set it to "no" rather than "yes"?
2. My Java program that would use JSCH would SFTP files to our Internal SFTP
server. Is this file transfer also vulnerable to 'man in the middle' attack?
ie: In this case should I check for "StrictHostKeyChecking" or would it be
an overkill?
Regards,
Dale
On Thu, Jun 9, 2011 at 4:02 PM, Paul Ebermann <paul-eberm...@gmx.de> wrote:
> Dale Anderson skribis:
> > Hi All,
> >
> > I am new to JSCH and would appreciate your help! I need to SFTP a file to
> > remote sshd server using JSCH. From the examples and online resources,
> > pasted below is the code I wrote for the purpose. I have excluded
> exception
> > handling etc. for readability. The code seems to work and transfers file
> to
> > our sftp server. I had couple of questions around the code.
> >
> > --------------------------------------
> > Questions:
> > 1. In all the examples that I came across online the line
> > "Security.addProvider(new com.sun.crypto.provider.SunJCE());" ... is
> > commented. If I uncomment this line the program doesnt compile even
> though
> > my JDK is in the classpath. I understand that JSCH uses JCE for
> encryption.
> > So, if we comment this line, does it use any default JCE encryption
> > mechanism ? or is my code not secure for sftp file tranfer after this
> line
> > is commented?
>
> I understand that this is the provider class for older (seperately
> downloaded) versions of JCE. From Java 1.4 this provider (presumably
> under another class name, or in some jar file which is not in the
> default compiler classpath) is included in the JRE and used
> automatically (if you don't choose another provider).
>
> JSch will not use insecure connections if you don't change the options
> to this aim. If it can't find a JCE implementation, you will get no
> connection at all.
>
> > 2. Is it okay to set "no" for "StrictHostKeyChecking" when transferring
> file
> > to remote server using JSCH? Or does it make the sftp file transfer
> > insecure?
>
> It allows attackers to do a man-in-the-middle attack. This means that
> they can pretend being your server, and JSch has no way to discover that
> this is not the case.
>
> If your attack model only includes passive attackers (i.e. which can
> read but not change the data transmitted), and the DNS server is not
> compromised, it is still secure, since after the key exchange everything
> is strongly encrypted (and authenticated, too) (if you don't set options
> to switch this off).
>
> If your attack model allows attackers to intercept and alter network
> packets, the attacker can pretend being the server to you, and then
> connect to the original server pretending being you. If the session is
> password authenticated, this will be successful, if you are using public
> key authentication, the authentication to the original server is not
> possible (as the private keys are not transmitted, only some data is
> signed, and this includes the session ID, which will be different).
>
> Thus, at least use public key authentication in this case.
> (The attacker still can accept your data, but upload it (or anything
> else) to the server.)
>
> But better obtain the server's public key, put it into a known hosts
> file, and provide this to JSch for checking.
>
> > 3. Please go through my code below and let me know if I am missing
> anything
> > from security point of view or in general?
> >
> > ----------------------------------------
> > Code to transfer test file to remote sftp server:
> >
> > JSch jsch = new JSch();
> > Session session = null;
> > Channel channel = null;
> > ChannelSftp c = null;
> >
> > session = jsch.getSession("USER1", "myserver.abc.com");
> > session.setPassword("PASS1");
>
> I hope this is not the real password :-)
>
> > //Security.addProvider(new com.sun.crypto.provider.SunJCE());
> >
> > java.util.Properties config = new java.util.Properties();
> > config.put("StrictHostKeyChecking", "no");
> > session.setConfig(config);
>
> You can write these 3 lines shorter as this:
>
> session.setConfig("StrictHostKeyChecking", "no");
>
> > session.connect();
> >
> > channel = session.openChannel("sftp");
> > channel.connect();
> > c = (ChannelSftp)channel;
> > c.cd("/");
> >
> > File f = new File("myfile.test");
> > FileInputStream fis = new FileInputStream(f);
> > c.put(fis, f.getName());
>
>
> You would want to close the stream after uploading, and disconnect
> channel and session (if you don't want to upload more).
>
>
> Apart from this (and the host key checking discussed above), it looks fine.
>
> (Of course, I will not give any guarantee here.)
>
>
> Paul
>
>
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
JSch-users mailing list
JSch-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jsch-users
