Welcome! Please see the About page for a little more info on how this works.

0 votes
in tools.deps by

Jsch has a problem handling public key authentication with encrypted (password protected) keys. To get around it, the ~/.ssh/config can't contain an IdentityFile in any section that Jsch decides to read. To see a full description of the problem, stack traces and a couple of workarounds, see this gist: https://gist.github.com/niclasnilsson/038f20bee1bd19e970d59ba35732e262.

Note: the problem is not specific to tools.deps, but was discovered using it, so Alex Miller asked for an issue to be added in order to keep track of the problem.

3 Answers

0 votes
by

Comment made by: alexmiller

Thanks for tracking all that down and writing it up...

0 votes
by

Comment made by: manderson202

I ran into this issue as well and found the underlying cause before I found this workaround, so I thought I'd submit a patch. As alluded to in the gist, JSCH does not know about jsch-agent-proxy and so it attempts to resolve keys as it would normally. In normal execution it expects a UserInfo implementation when it encounters an encrypted (password protected) private key. The code throws an Exception right off the bat if the UserInfo implementation doesn't exist and doesn't give the jsch-agent-proxy a chance to pull the keys from the ssh-agent. Below snippet from com.jcraft.jsch.UserAuthPublicKey#start lines 118-130:

`java
if((identity.isEncrypted() && passphrase==null)){
if(userinfo==null) throw new JSchException("USERAUTH fail");
if(identity.isEncrypted() &&

 !userinfo.promptPassphrase("Passphrase for "+identity.getName())){
throw new JSchAuthCancelException("publickey");
//throw new JSchException("USERAUTH cancel");
//break;

}
String _passphrase=userinfo.getPassphrase();
if(_passphrase!=null){

passphrase=Util.str2byte(_passphrase);

}
}
`

The fix is to set a placeholder UserInfo implementation on the Session so that the above Exception isn't thrown and the ssh-agent can handle returning the keys to JSCH. With the patch, there is no need to perform the workaround of removing the IdentityFile property from your ~/.ssh/config file.

The patch is attached (today: 2018-11-27) and is called tdeps-49-fix.patch. Let me know if you have questions.

0 votes
by
Reference: https://clojure.atlassian.net/browse/TDEPS-49 (reported by alex+import)
...