Alpakka SFTP with user and private key, but without password

Akka Akka Streams & Alpakka
1

Hello,

I’m trying to read data from an SFTP server. I have a username and a private key, but no password.
Is there any way to create SftpSettings from these bits?
This didn’t work:

        SftpSettings(InetAddress.getByName(settings.host))
          .withPort(settings.port)
          .withCredentials(FtpCredentials.create(settings.user, ""))
          .withSftpIdentity(SftpIdentity.createRawSftpIdentity(settings.pk.getBytes))
          .withStrictHostKeyChecking(false)

ERROR Dying because - null
java.lang.ArrayIndexOutOfBoundsException: null

Thanks,
Val

2

I’m not sure that case is supported:

@valdum, would you be able to provide more details (e.g. full stack trace of the java.lang.ArrayIndexOutOfBoundsException: null? I think this discussion would better be moved to a new issue.

Thanks!

3

Actually, that code seems to support the case, as it calls setIdentity with the username and the SftpIdentity. The exception occurs during the signing of the request, which seems to indicate that the key I have provided cannot be used. Is there any documentation regarding possible file format(s) acceptable for the private key? The one I have is an EC private key.

The stack trace for the exception:

java.lang.ArrayIndexOutOfBoundsException: null
	at java.lang.System.arraycopy(Native Method)
	at net.schmizz.sshj.signature.SignatureECDSA.encode(SignatureECDSA.java:96)
	at net.schmizz.sshj.userauth.method.KeyedAuthMethod.putSig(KeyedAuthMethod.java:74)
	at net.schmizz.sshj.userauth.method.AuthPublickey.sendSignedReq(AuthPublickey.java:74)
	at net.schmizz.sshj.userauth.method.AuthPublickey.handle(AuthPublickey.java:45)
	at net.schmizz.sshj.userauth.UserAuthImpl.handle(UserAuthImpl.java:142)
	at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:500)
	at net.schmizz.sshj.transport.Decoder.decodeMte(Decoder.java:159)
	at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:79)
	at net.schmizz.sshj.transport.Decoder.received(Decoder.java:231)
	at net.schmizz.sshj.transport.Reader.run(Reader.java:59)
4

Quick update: after upgrading to the latest version of alpakka-ftp, I am still having trouble using my PK file for SFTP access. Unfortunately, the file I was given contains only the PrivateKey part, and no PublicKey part. I can see this by dumping the contents with openssl asn1parse. The file is correctly parsed as a PEMKeyPair, but an NPEx is thrown when it tries to call a method on the null PublicKey. This happens deep inside the crypto library (JcaPEMKeyConverter.getKeyPair).

I will try to follow up with the SFTP server to see if I can get a different key file.

5

I did some more investigation into this issue and it appears that the libraries used in Alpakka SFTP don’t work with a 512 bit ECDSA key-pair. If you generate a key with the command:

ssh-keygen -t ecdsa -f user-ecdsa -b N -m pem

If N=256 or 384, the authentication works as expected. However, if N = 521, the authentication will fail with the error above in
net.schmizz.sshj.signature.SignatureECDSA.encode(SignatureECDSA.java:96).

6

Thank you for digging into it!

The https://github.com/hierynomus/sshj library Alpakka FTP uses had a later release with some breaking changes https://github.com/hierynomus/sshj/blob/master/README.adoc#release-history

Please try what changes to Alpakka would be required – and if this would support the algorithm.

Cheers,
Enno.