Can't connect to azure blob storage using jsch

[ihudedi]

Hi,
When trying to connect azure blob storage via jsch(0.1.72) I am getting the following error:
com.jcraft.jsch.JSchException: Session.connect: java.io.IOException: End of IO Stream Read
at com.jcraft.jsch.Session.connect(Session.java:607)
at com.jcraft.jsch.Session.connect(Session.java:218)
at toolbox.sftp.Sftp.main(Sftp.java:319)
Caused by: java.io.IOException: End of IO Stream Read
at com.jcraft.jsch.IO.getByte(IO.java:85)
at com.jcraft.jsch.Session.read(Session.java:1246)
at com.jcraft.jsch.Session.connect(Session.java:351)
... 2 more

See documetation in https://docs.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support

Thanks,
Itay

[norrisjeremy]

Hi @ihudedi,

What version of JSch produced this backtrace?

Because I am a bit confused by parts of the stacktrace you provided above:

at com.jcraft.jsch.Session.connect(Session.java:607)
...
at com.jcraft.jsch.Session.read(Session.java:1246)
at com.jcraft.jsch.Session.connect(Session.java:351)

In the 0.1.72 release, the line numbers above do not match the methods (lines 351 & 607 are not part of the connect() method and line 1246 is not part of the read() method).

Thanks,
Jeremy

[ihudedi]

Hi @norrisjeremy
We made some code in Session class.
Here is the output with the original file:
com.jcraft.jsch.JSchException: Session.connect: java.io.IOException: End of IO Stream Read
at com.jcraft.jsch.Session.connect(Session.java:570)
at com.jcraft.jsch.Session.connect(Session.java:185)
at toolbox.sftp.Sftp.main(Sftp.java:319)
Caused by: java.io.IOException: End of IO Stream Read
at com.jcraft.jsch.IO.getByte(IO.java:85)
at com.jcraft.jsch.Session.read(Session.java:1178)
at com.jcraft.jsch.Session.connect(Session.java:314)
... 2 more

[norrisjeremy]

Hi @ihudedi,

Ok, thanks, that helps understand where the failure is happening.

Would it be possible for you to run sftp -vvv command from a CLI pointed to this same Azure service, so we can see more details as to what the SSH protocol packet exchange looks like?

From the stack trace you provided above, JSch is failing immediately after it sends the initial KEXINIT and tries to read the KEXINIT response packet from the Azure server, which is a bit unusual.

Also, does this exception consistently happen every time you connect, or is it an intermittent issue?

Also, if possible, it may help if you could create a JSch Logger and capture JSch logging details (by creating a class that implements com.jcraft.jsch.Logger and calling JSch.setLogger(yourLoggerInstance); before you initialize your JSch session), that could prove helpful as well!

Thanks,
Jeremy

[norrisjeremy]

Hi @ihudedi,

Also, do you use a custom SocketFactory at all (via JSch.setSocketFactory())?

Thanks,
Jeremy

[norrisjeremy]

Or any sort of Proxy (via JSch.setProxy())?

[ihudedi]

Hi @norrisjeremy
When using File Zilla I can connect fine but when running sftp -vvv I am getting
sftp -vvv sftpdatalakegen2.blob.core.windows.net
Connecting to sftpdatalakegen2.blob.core.windows.net...
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to sftpdatalakegen2.blob.core.windows.net [52.239.222.100] port 22.
debug1: Connection established.
debug1: identity file /home/hudedi/.ssh/id_rsa type -1
debug1: identity file /home/hudedi/.ssh/id_rsa-cert type -1
debug1: identity file /home/hudedi/.ssh/id_dsa type -1
debug1: identity file /home/hudedi/.ssh/id_dsa-cert type -1
debug1: identity file /home/hudedi/.ssh/id_ecdsa type -1
debug1: identity file /home/hudedi/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version PaloAltoNetworks_0.2
debug1: no match: PaloAltoNetworks_0.2
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 864 bytes for a total of 885
Connection closed by 52.239.222.100
Couldn't read packet: Connection reset by peer

[norrisjeremy]

Hi @ihudedi,

The problem appears to be due to a Palo Alto firewall between you and Azure that is prematurely closing the SSH connection:

debug1: Remote protocol version 2.0, remote software version PaloAltoNetworks_0.2
...
Connection closed by 52.239.222.100
Couldn't read packet: Connection reset by peer

This Stackoverflow post has more details.
You will probably want to speak to your network/security administrators to remedy this.

Thanks,
Jeremy

[ihudedi]

Hi @norrisjeremy
From my local machine it's working fine:

[ihudedi.IL-ihudedi-W3] ➤ sftp -vvv sftpdatalakegen2.blob.core.windows.net
OpenSSH_7.1p2, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to sftpdatalakegen2.blob.core.windows.net [52.239.222.100] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version AzureSSH_1.0.0
debug1: no match: AzureSSH_1.0.0
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sftpdatalakegen2.blob.core.windows.net:22 as 'ihudedi'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,arcfour,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,arcfour,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160@openssh.com
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160@openssh.com
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,ext-info-s
debug2: kex_parse_kexinit: rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384
debug2: kex_parse_kexinit: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: server->client aes256-gcm@openssh.com none
debug1: kex: client->server aes256-gcm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:bouiC5HdtURUU19RJbym8R94fbMOTw/bUxFUkoAByoI
debug3: hostkeys_foreach: reading file "/home/mobaxterm/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/mobaxterm/.ssh/known_hosts:8
debug3: load_hostkeys: loaded 1 keys from sftpdatalakegen2.blob.core.windows.net
debug1: Host 'sftpdatalakegen2.blob.core.windows.net' is known and matches the ECDSA host key.
debug1: Found key in /home/mobaxterm/.ssh/known_hosts:8
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: pubkey_prepare: ssh_fetch_identitylist: agent refused operation
debug2: key: /home/mobaxterm/.ssh/id_rsa (0x0),
debug2: key: /home/mobaxterm/.ssh/id_dsa (0x0),
debug2: key: /home/mobaxterm/.ssh/id_ecdsa (0x0),
debug2: key: /home/mobaxterm/.ssh/id_ed25519 (0x0),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred hostbased,publickey,password,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: password,keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mobaxterm/.ssh/id_rsa
debug3: no such identity: /home/mobaxterm/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/mobaxterm/.ssh/id_dsa
debug3: no such identity: /home/mobaxterm/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/mobaxterm/.ssh/id_ecdsa
debug3: no such identity: /home/mobaxterm/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/mobaxterm/.ssh/id_ed25519
debug3: no such identity: /home/mobaxterm/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

I did the test from wrong machine.
and I can connect to this SFTP using SSH

[ihudedi]

Hi @norrisjeremy
This is also workign via SSH
OpenSSH_7.1p2, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to sftpdatalakegen2.blob.core.windows.net [52.239.222.100] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mobaxterm/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version AzureSSH_1.0.0
debug1: no match: AzureSSH_1.0.0
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to sftpdatalakegen2.blob.core.windows.net:22 as 'sftpdatalakegen2.itay'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,arcfour,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,arcfour,aes128-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160@openssh.com
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160@openssh.com
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,ext-info-s
debug2: kex_parse_kexinit: rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384
debug2: kex_parse_kexinit: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512
debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha2-512
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: server->client aes256-gcm@openssh.com none
debug1: kex: client->server aes256-gcm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:bouiC5HdtURUU19RJbym8R94fbMOTw/bUxFUkoAByoI
debug3: hostkeys_foreach: reading file "/home/mobaxterm/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/mobaxterm/.ssh/known_hosts:8
debug3: load_hostkeys: loaded 1 keys from sftpdatalakegen2.blob.core.windows.net
debug1: Host 'sftpdatalakegen2.blob.core.windows.net' is known and matches the ECDSA host key.
debug1: Found key in /home/mobaxterm/.ssh/known_hosts:8
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: pubkey_prepare: ssh_fetch_identitylist: agent refused operation
debug2: key: /home/mobaxterm/.ssh/id_rsa (0x0),
debug2: key: /home/mobaxterm/.ssh/id_dsa (0x0),
debug2: key: /home/mobaxterm/.ssh/id_ecdsa (0x0),
debug2: key: /home/mobaxterm/.ssh/id_ed25519 (0x0),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred hostbased,publickey,password,keyboard-interactive
debug3: authmethod_lookup publickey
debug3: remaining preferred: password,keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mobaxterm/.ssh/id_rsa
debug3: no such identity: /home/mobaxterm/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/mobaxterm/.ssh/id_dsa
debug3: no such identity: /home/mobaxterm/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/mobaxterm/.ssh/id_ecdsa
debug3: no such identity: /home/mobaxterm/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/mobaxterm/.ssh/id_ed25519
debug3: no such identity: /home/mobaxterm/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to sftpdatalakegen2.blob.core.windows.net ([52.239.222.100]:22).
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x08
debug2: client_session2_setup: id 0
debug1: Sending subsystem: sftp
debug2: channel 0: request subsystem confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 4294967295 rmax 262143
debug2: channel_input_status_confirm: type 99 id 0
debug2: subsystem request accepted on channel 0
debug2: Remote version: 3
Connected to sftpdatalakegen2.blob.core.windows.net.
debug3: Sent message fd 6 T:16 I:1
debug3: SSH_FXP_REALPATH . -> /dir1/ size 0
sftp>

[norrisjeremy]

Hi @ihudedi,

As I mentioned earlier, based upon the stacktrace you provided as well as the earlier sftp trace, it appears that there is a Palo Alto Networks firewall that sits somewhere on the network between your JSch application is hosted and Azure that is prematurely closing the TCP connection between your application and Azure. To correct this, you will need to speak with your network/security administrators who manage this Palo Alto Networks firewall and adjust the policies on it to allow your application to connect to Azure.

Thanks,
Jeremy

[ihudedi]

Hi @norrisjeremy
As I wrote before.I succeded to connect from other machine via ssh but from the jsch I can't.
In my local machine there isn't any proxy or filtering.
There is an issue with the jsch.
You can try connect with the host name I connected to see the issue.
Thanks,
Itay

[norrisjeremy]

Hi @ihudedi,

Ok, I have tested locally and confirmed the behavior. It seems that Azure performs some sort of filtering based upon the local SSH client string that is sent.

For example, I see this:

Connecting to sftpdatalakegen2.blob.core.windows.net port 22
Connection established
Remote version string: SSH-2.0-AzureSSH_1.0.0
Local version string: SSH-2.0-JSCH-0.2.0-SNAPSHOT
CheckCiphers: chacha20-poly1305@openssh.com
CheckKexes: curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512
CheckSignatures: ssh-ed25519,ssh-ed448
server_host_key proposal before known_host reordering is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
server_host_key proposal after known_host reordering is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
SSH_MSG_KEXINIT sent
Disconnecting from sftpdatalakegen2.blob.core.windows.net port 22

But if I manually patch the client string in Session.java from this:

private byte[] V_C=Util.str2byte("SSH-2.0-JSCH-"+Version.getVersion());

To this (to simulate OpenSSH's client string):

private byte[] V_C=Util.str2byte("SSH-2.0-OpenSSH_8.8");

With this manual change, the connection progresses as normal (the auth fails are because I don't have an actual account on Azure):

Connecting to sftpdatalakegen2.blob.core.windows.net port 22
Connection established
Remote version string: SSH-2.0-AzureSSH_1.0.0
Local version string: SSH-2.0-OpenSSH_8.8
CheckCiphers: chacha20-poly1305@openssh.com
CheckKexes: curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512
CheckSignatures: ssh-ed25519,ssh-ed448
server_host_key proposal before known_host reordering is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
server_host_key proposal after known_host reordering is: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
SSH_MSG_KEXINIT sent
SSH_MSG_KEXINIT received
kex: server: ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,ext-info-s
kex: server: rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384
kex: server: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
kex: server: aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
kex: server: hmac-sha2-256,hmac-sha2-512
kex: server: hmac-sha2-256,hmac-sha2-512
kex: server: none
kex: server: none
kex: server: 
kex: server: 
kex: client: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
kex: client: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
kex: client: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
kex: client: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
kex: client: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
kex: client: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
kex: client: none
kex: client: none
kex: client: 
kex: client: 
kex: algorithm: ecdh-sha2-nistp256
kex: host key algorithm: ecdsa-sha2-nistp256
kex: server->client cipher: aes128-gcm@openssh.com MAC: <implicit> compression: none
kex: client->server cipher: aes128-gcm@openssh.com MAC: <implicit> compression: none
SSH_MSG_KEX_ECDH_INIT sent
expecting SSH_MSG_KEX_ECDH_REPLY
ssh_ecdsa_verify: ecdsa-sha2-nistp256 signature true
Permanently added 'sftpdatalakegen2.blob.core.windows.net' (ECDSA) to the list of known hosts.
SSH_MSG_NEWKEYS sent
SSH_MSG_NEWKEYS received
SSH_MSG_SERVICE_REQUEST sent
SSH_MSG_EXT_INFO received
SSH_MSG_SERVICE_ACCEPT received
Authentications that can continue: publickey
Next authentication method: publickey
PubkeyAcceptedAlgorithms = ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
No server-sig-algs found, using PubkeyAcceptedAlgorithms = [ssh-ed25519, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, rsa-sha2-512, rsa-sha2-256]
rsa-sha2-512 preauth failure
rsa-sha2-256 preauth failure
Disconnecting from sftpdatalakegen2.blob.core.windows.net port 22

Do you have a way to contact Microsoft and ask them about their service operates and why it is closes TCP connections for the JSch client string?

We would also look into adding a new method to allow you to override the client string that JSch sends, so that you could override it to something that Azure would accept.

Thanks,
Jeremy

[norrisjeremy]

Hi @ihudedi,

Ok, I think I've identified the issue. The problem is that Azure performs strict filtering of the client version string according to RFC 4253 section 4.2.
By default, JSch sends a client string similar to this: SSH-2.0-JSCH-x.y.z (where x.y.z is the JSch version).
According to RFC 4253 section 4.2:

Both the 'protoversion' and 'softwareversion' strings MUST consist of
printable US-ASCII characters, with the exception of whitespace
characters and the minus sign (-).

The default client string we use for the "softwareversion" part (JSCH-x.y.z) fails this requirement, since it includes a minus sign (-).

I will work on a patch to change this to the underscore (_) character so that JSch is compliant with RFC 4253 section 4.2 and should then work with Azure.

In the meantime, you should be able to work around the problem by using the Session.setClientVersion() method to set it to something compliant, such as session.setClientVersion("SSH-2.0-JSCH_0.1.72");

Thanks,
Jeremy

[ihudedi]

Hi @norrisjeremy
Problem solved.
Thanks for the solution.
Wait for formal release
Thanks,
Itay

[ihudedi]

Hi @norrisjeremy
Do you know why this fix not working in version 0.1.55?
Thanks,
Itay

[mikewill4]

@ihudedi this repo is a fork of JSch 0.1.55, which hasn't received any updates or bug fixes in years. This fix is part of version 0.2.0: https://github.com/mwiede/jsch/releases/tag/jsch-0.2.0