6

I use JSch with private key to FTP file

  1. jsch.addIdentity(privatekeyfile);
  2. Session session = jsch.getSession( "user", "domain.com" ,22);
  3. session.setConfig("StrictHostKeyChecking", "no");

Line 3 is in question. Without this line, JSch does not work.

My question is: Will line 3 make SFTP transfer insecure?

Martin Prikryl
  • 167,268
  • 50
  • 405
  • 846
Tony
  • 553
  • 5
  • 8
  • 17

2 Answers2

13

Disabling the StrictHostKeyChecking option will make the connection less secure than having the option enabled, because it will let you connect to remote servers without verifying their SSH host keys. If the option is enabled, you will only be able to connect to servers which keys are known to your SSH client.

You will have to decide what that means for your specific use case - are the servers you are connecting on a private, local network or do you connect over the internet? Is this a testing or production environment?

When in doubt, it is better to err on the side of more security. I would recommend enabling StricktHostKeyChecking and using the setKnownHosts method to provide a file which contains the remote host keys.

Ben Damer
  • 976
  • 7
  • 14
  • Thanks krautmeyer and Martin. setKnownHosts needs a file. Where is the file? I FTP to an AWS EC2 Linux instance. I got my privatekeyfile when I created the instance. But what to set in method setKnownHosts? Thanks! – Tony May 12 '15 at 22:33
  • The file needs to be available on the client which runs your program. If you have access to a Linux machine you can generate the file yourself: `ssh-keyscan -t rsa hostname > known_hosts` Hostname would be the target server you want to connect to in this case. Then just pass the file to the `setKnownHosts` method. – Ben Damer May 12 '15 at 22:51
  • Thanks.I logged in Linux and ran this: ssh-keyscan -t rsa abc.com > /home/known_hosts. A file known_hosts is created in home but is empty. abc.com is the domain I use to FTP to this server. Thanks. – Tony May 13 '15 at 00:05
  • Try just running `ssh-keyscan -t rsa abc.com` and post the output. – Ben Damer May 13 '15 at 00:11
  • `$ ssh-keyscan -t rsa abc.com` outputs nothing. It finish and come back to command line. `$ ssh-keyscan -t rsa abc.com` `$` – Tony May 13 '15 at 00:16
  • Are you able to connect to the remote server from the linux machine? What does `ssh user@abc.com` output? (Substitute a valid username) – Ben Damer May 13 '15 at 00:23
  • If I change abc.com to a fake name like abcxxx.com, then the command come back with a message: `getaddrinfo abcxxx.com: Name or service not known` – Tony May 13 '15 at 00:24
  • I am trying to FTP from my windows PC to this Linux. I have the private key file on my PC. JSch is also on my PC. – Tony May 13 '15 at 00:25
  • So the Linux machine that you are using is the AWS server? In that case, try `ssh-keyscan -t rsa localhost` and see if that produces anything. – Ben Damer May 13 '15 at 00:27
  • `ssh-keyscan -t rsa localhost` produces something: # localhost SSH-2.0-OpenSSH_6.2 localhost ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfkfoFN+oakKAvx2meT90jom1oRdBevPFP/2A+tN4+ – Tony May 13 '15 at 00:30
  • In that case, your known_hosts file should contain the following line: `abc.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfkfoFN+oakKAvx2meT90jom1oRdBevPFP/2A+tN4+` – Ben Damer May 13 '15 at 00:32
  • YES! Now JSch FTPed file to AWS Linux without `session.setConfig("StrictHostKeyChecking", "no")`. I hope this is really secure FTP! Thanks a lot! – Tony May 13 '15 at 00:40
4

Yes, it will make the connection (and the transfer) less secure. Particularly, it makes the connection open to Man-in-the-middle attacks.

You should never set the StrictHostKeyChecking to no, unless you do not care about security (such as when connecting within a private network).

It's not true that "Without this line, JSch does not work". You just have to make your code accept the expected server's host key. Either via the setKnownHosts or the setHostKeyRepository methods.

For examples, see How to resolve Java UnknownHostKey, while using JSch SFTP library?

You can read my article on verifying the host key to understand its importance. It's about WinSCP SSH/SFTP client, but it's generally true for any SSH client/library.

Martin Prikryl
  • 167,268
  • 50
  • 405
  • 846