我们正在使用Spring Batch Admin进行连接到不同远程SFTP服务器的不同作业。我们有两个SBA,所以我实际上已将此工作从旧版本转移到了新版本。
所有作业都在Jcraft中使用JSch,我已将此版本从0.1.42升级到0.1.54。除了最新的工作之外,所有工作都可以正常工作,它们可以正常连接。
在这项工作中,我得到了一个连接超时,但我不明白为什么。
另一个(大)问题是,我无法真正从自己的计算机进行本地故障排除,甚至无法从我的计算机通过WinSCP登录到此远程SFTP帐户以验证其自身的连接。 SFTP服务器的所有者表示,他们可以在防火墙中看到我的连接,但看不到我的连接,也无法连接到SFTP。唯一看到他们的SFTP服务器上的连接成功的人,所以他们看不到为什么我的连接失败了,为什么我无法连接。
我在Java 8和Java 7中都在Java中添加了新策略。 我仍然不能胜任工作。我在StackOverflow和Google上进行过搜索,但没有找到任何解决方案。 我在新旧作业中都使用Springframework集成sftp Session和DefaultSftpSessionFactory版本2.0.3。我们使用Java 7和Tomcat 8,并在Tomcat中添加了“ -Dhttps.protocols = TLSv1.1,TLSv1.2”
这是Jsch版本为0.1.54的新作业连接到SFTP服务器后的日志
com.jcraft.jsch (log:52) - Connecting to XX.XXX.XX.XX port 22
com.jcraft.jsch (log:52) - Connection established
com.jcraft.jsch (log:52) - Remote version string: SSH-2.0-1.86 FRES
com.jcraft.jsch (log:52) - Local version string: SSH-2.0-JSCH-0.1.54
com.jcraft.jsch (log:52) - CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
com.jcraft.jsch (log:52) - CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
com.jcraft.jsch (log:52) - diffie-hellman-group14-sha1 is not available.
com.jcraft.jsch (log:52) - CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
com.jcraft.jsch (log:52) - SSH_MSG_KEXINIT sent
com.jcraft.jsch (log:52) - SSH_MSG_KEXINIT received
com.jcraft.jsch (log:52) - kex: server: diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
com.jcraft.jsch (log:52) - kex: server: ssh-rsa
com.jcraft.jsch (log:52) - kex: server: aes256-cbc,aes256-ctr,3des-cbc
com.jcraft.jsch (log:52) - kex: server: aes256-cbc,aes256-ctr,3des-cbc
com.jcraft.jsch (log:52) - kex: server: hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
com.jcraft.jsch (log:52) - kex: server: hmac-sha2-256,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
com.jcraft.jsch (log:52) - kex: server: zlib,none
com.jcraft.jsch (log:52) - kex: server: zlib,none
com.jcraft.jsch (log:52) - kex: server:
com.jcraft.jsch (log:52) - kex: server:
com.jcraft.jsch (log:52) - kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
com.jcraft.jsch (log:52) - kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
com.jcraft.jsch (log:52) - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
com.jcraft.jsch (log:52) - kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
com.jcraft.jsch (log:52) - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
com.jcraft.jsch (log:52) - kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
com.jcraft.jsch (log:52) - kex: client: none
com.jcraft.jsch (log:52) - kex: client: none
com.jcraft.jsch (log:52) - kex: client:
com.jcraft.jsch (log:52) - kex: client:
com.jcraft.jsch (log:52) - kex: server->client 3des-cbc hmac-md5 none
com.jcraft.jsch (log:52) - kex: client->server 3des-cbc hmac-md5 none
com.jcraft.jsch (log:52) - SSH_MSG_KEX_DH_GEX_REQUEST(1024<1024<1024) sent
com.jcraft.jsch (log:52) - expecting SSH_MSG_KEX_DH_GEX_GROUP
com.jcraft.jsch (log:52) - Disconnecting from XX.XXX.XX.XX port 22
作业连接到SFTP服务器时具有Jsch版本0.1.42的旧版本作业的日志
com.jcraft.jsch (log:52) - Connecting to XX.XXX.XX.XX port 22
com.jcraft.jsch (log:52) - Connection established
com.jcraft.jsch (log:52) - Remote version string: SSH-2.0-1.86 FRES
com.jcraft.jsch (log:52) - Local version string: SSH-2.0-JSCH-0.1.42
com.jcraft.jsch (log:52) - CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
com.jcraft.jsch (log:52) - SSH_MSG_KEXINIT sent
com.jcraft.jsch (log:52) - SSH_MSG_KEXINIT received
com.jcraft.jsch (log:52) - kex: server->client 3des-cbc hmac-md5 none
com.jcraft.jsch (log:52) - kex: client->server 3des-cbc hmac-md5 none
com.jcraft.jsch (log:52) - SSH_MSG_KEXDH_INIT sent
com.jcraft.jsch (log:52) - expecting SSH_MSG_KEXDH_REPLY
com.jcraft.jsch (log:52) - ssh_rsa_verify: signature true
com.jcraft.jsch (log:52) - Host 'XX.XXX.XX.XX' is known and mathces the RSA host key
com.jcraft.jsch (log:52) - SSH_MSG_NEWKEYS sent
com.jcraft.jsch (log:52) - SSH_MSG_NEWKEYS received
com.jcraft.jsch (log:52) - SSH_MSG_SERVICE_REQUEST sent
com.jcraft.jsch (log:52) - SSH_MSG_SERVICE_ACCEPT received
com.jcraft.jsch (log:52) - Authentications that can continue: keyboard-interactive,password
com.jcraft.jsch (log:52) - Next authentication method: keyboard-interactive
com.jcraft.jsch (log:52) - Authentications that can continue: password
com.jcraft.jsch (log:52) - Next authentication method: password
com.jcraft.jsch (log:52) - Authentication succeeded (password).
job.FtpFileFetcher (downloadFile:62) - Listing remote directory: .
job.FtpFileFetcher (downloadFile:64) - Found 2 entries in: .,
job.FtpFileFetcher (filterEntries:139) - file: file_20190218221932.xml attributes: -rw-rw-rw- 0 0 3369 Mon Feb 18 22:19:33 CET 2019
job.FtpFileFetcher (filterEntries:139) - file: file_20190219214922.xml attributes: -rw-rw-rw- 0 0 3369 Tue Feb 19 21:49:22 CET 2019
job.FtpFileFetcher (downloadFile:66) - Found 2 files in: ., matching pattern: file.\d{14}.xml
job.FtpFileFetcher (downloadFile:71) - Fetching matching file file_20190219214922.xml to local directory K:/files
job.FtpFileFetcher (executeDownload:104) - Downloading remote file ./file_20190219214922.xml to K:\files\file_20190219214922.xml
com.jcraft.jsch (log:52) - Disconnecting from XX.XXX.XX.XX port 22
我看到了区别,但是我不明白出什么问题了,希望这里有人可以帮助我。 如果您需要查看更多内容,请询问 谢谢
答案 0 :(得分:2)
首先,https.protocols仅适用于HTTPS(即基于TLS的HTTP)。 Jsch实现了SSH和SFTP,它们完全独立并且与HTTPS,HTTP和TLS不相关。
您的系统提供的DH_GEX(组交换)的最小值为1024,首选值为1024,最大值为1024,因为Java7不支持大于1024位的DH。服务器可能不喜欢这样,因为DH大小1024现在被认为是不安全的(根据NIST,自2014年以来,其他值有所不同)。如果您可以移至Java8 (或更高版本),它应该可以解决此问题,或者您具有OpenJDK或付费支持的OracleJDK 7u171也可以根据发行说明进行操作(我尚未测试)。
即使出于同样的原因,即使已配置,您的客户端也不提供group14。参见行diffie-hellman-group14-sha1 is not available.,但是服务器确实提供了group1,尽管它只有1024位,也许是为了向后兼容。如果您无法如上所述修复Java,请尝试将Kex配置为排除(都)group-exchange并离开group1:
session.setConfig(conf);
// with a Properties that includes
conf.put("kex","ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1");
// or if you prefer just
conf.put("kex","diffie-hellman-group1-sha1");
// since server doesn't agree to any ecdh anyway