SSH Key Authentication is breaking in sshj-0.32.0 which worked in sshj-0.21.0

[ptg1792]

Hi all,

I was using the key authentication like below in sshj-0.21.0 & it worked.

KeyProvider privateKey = ssh.loadKeys(privateKeyString, publicKeyString, null);
ssh.authPublickey("username", privateKey);

However when I try to use the same code with sshj-0.32.0, it breaks with unexpected exception. It points to the public key but I am passing it correctly & it works in sshj-0.21.0 even with empty public key.

Any help or pointers toward resolving it are appreciated.

[16:07:02,497][ERROR] net.schmizz.sshj.transport.TransportImpl - Dying because - null
java.lang.NullPointerException
at net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec.(EdDSAPublicKeySpec.java:20)
at net.schmizz.sshj.common.KeyType$6.readPubKeyFromBuffer(KeyType.java:192)
at net.schmizz.sshj.common.Buffer.readPublicKey(Buffer.java:489)
at net.schmizz.sshj.transport.kex.AbstractDHG.next(AbstractDHG.java:66)
at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:389)
at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:474)
at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:113)
at net.schmizz.sshj.transport.Decoder.received(Decoder.java:200)
at net.schmizz.sshj.transport.Reader.run(Reader.java:60)
[16:07:02,501][ERROR] net.schmizz.concurrent.Promise - <> woke to: net.schmizz.sshj.transport.TransportException

[hierynomus]

Does it work with 0.35.0? That's the most recently released version.

[exceptionfactory]

@ptg1792 Can you provide the version of Java you are using?

[ptg1792]

@exceptionfactory : I am using Java 1.8.0.

[ptg1792]

I just tried with Java 11.0.9 as well but still it breaks.

[exceptionfactory]

Thanks for the Java version information.

@ptg1792 Can you describe the source of the Ed25519 key? Running ssh-keygen -t ed25519 on recent versions of OpenSSH creates a key pair using the OpenSSH format using the following header:

-----BEGIN OPENSSH PRIVATE KEY-----

This format was not supported until SSHJ 0.27.0. Testing with this key format works with both SSHJ 0.27.0 and 0.35.0.

Perhaps there is something wrong with the key loading. If you can provide additional details on the format of the private key, that would be helpful.

[exceptionfactory]

On a closer review of the code for AbstractDHG.next(), it appears that Buffer.readPublicKey() is having an issue read the key from SSH packet received from the server.

In that case, it would be helpful to provide debug or trace logs for the SSH connection to confirm the selected key negotiation algorithms.

[exceptionfactory]

@ptg1792 The stack trace with a NullPointerException references lines 20 of EdDSAPublicKeySpec, which corresponds to version 0.1.0. Version 0.2.0 and 0.3.0, which more recent versions of SSHJ use, changed the name for the curve. This means that version 0.1.0 of net.i2p.crypto:eddsa is not compatible with recent versions of SSHJ, and could result in the stack trace with the NullPointerException.

SSHJ has a direct dependency on eddsa 0.3.0, but it seems like the runtime class path is still referencing version 0.1.0. If you can track down the source of that library and make sure it is updated to version 0.3.0, that may solve the problem.

[ptg1792]

@exceptionfactory We are not using the Ed25519 type key. Instead we are using RSA 4096 bit key. Private key starts with below line, not sure why it is trying to read it like Ed25519. Is there any way I can enforce it to RSA?
Meanwhile let me check if I can find & update the library version for eddsa.

-----BEGIN RSA PRIVATE KEY-----

[ptg1792]

@exceptionfactory Updating the eddsa to eddsa-0.3.0.jar worked like a charm. Thank you so much for debugging it & pointing to the root cause. Appreciate it.

[exceptionfactory]

That's great news! You're welcome!