如何通过Java使用公钥和私钥身份验证来使用SFTP的可靠示例

Question

最近，我们的一个客户意外地将我们从ftp上收集的一些重要文件转移到sftp服务器上。最初我的印象是，编写或找到一个可以处理sftp的java实用程序会很简单，但事实证明并非如此。使这个问题更加复杂的是，我们试图从windows平台连接到sftp服务器(因此SSH_HOME在客户机上的位置的定义变得非常混乱)。

我一直在使用apache-commons-vfs库，并设法获得了一个可以可靠地进行用户名/密码身份验证的解决方案，但到目前为止还没有一个能够可靠地处理私钥/公钥身份验证的解决方案。

以下示例适用于用户名/密码身份验证，但我希望将其调整为适用于私钥/公钥身份验证。

public static void sftpGetFile(String server, String userName,String password, 
        String remoteDir, String localDir, String fileNameRegex)
    {

       File localDirFile  = new File(localDir);
       FileSystemManager fsManager = null;

       if (!localDirFile.exists()) {
           localDirFile.mkdirs();
       }

       try {
           fsManager = VFS.getManager();
       } catch (FileSystemException ex) {
           LOGGER.error("Failed to get fsManager from VFS",ex);
           throw new RuntimeException("Failed to get fsManager from VFS", ex);
       }

       UserAuthenticator auth = new StaticUserAuthenticator(null, userName,password);

       FileSystemOptions opts = new FileSystemOptions();

       try {
           DefaultFileSystemConfigBuilder.getInstance().setUserAuthenticator(opts,
                   auth);
       } catch (FileSystemException ex) {
           LOGGER.error("setUserAuthenticator failed", ex);
           throw new RuntimeException("setUserAuthenticator failed", ex);
       }
       Pattern filePattern = Pattern.compile(fileNameRegex);
       String startPath = "sftp://" + server + remoteDir;
       FileObject[] children;

       // Set starting path on remote SFTP server.
       FileObject sftpFile;
       try {
           sftpFile = fsManager.resolveFile(startPath, opts);

           LOGGER.info("SFTP connection successfully established to " +
                   startPath);
       } catch (FileSystemException ex) {
           LOGGER.error("SFTP error parsing path " +
                   remoteDir,
                   ex);

           throw new RuntimeException("SFTP error parsing path " +
                   remoteDir,
                   ex);
       }

       // Get a directory listing
       try {
           children = sftpFile.getChildren();
       } catch (FileSystemException ex) {
           throw new RuntimeException("Error collecting directory listing of " +
                   startPath, ex);
       }

       search:
       for (FileObject f : children) {
           try {
               String relativePath =
                       File.separatorChar + f.getName().getBaseName();

               if (f.getType() == FileType.FILE) {
                   System.out.println("Examining remote file " + f.getName());

                   if (!filePattern.matcher(f.getName().getPath()).matches()) {
                       LOGGER.info("  Filename does not match, skipping file ." +
                               relativePath);
                       continue search;
                   }

                   String localUrl = "file://" + localDir + relativePath;
                   String standardPath = localDir + relativePath;
                   System.out.println("  Standard local path is " + standardPath);
                   LocalFile localFile =
                           (LocalFile) fsManager.resolveFile(localUrl);
                   System.out.println("    Resolved local file name: " +
                           localFile.getName());

                   if (!localFile.getParent().exists()) {
                       localFile.getParent().createFolder();
                   }

                   System.out.println("  ### Retrieving file ###");
                   localFile.copyFrom(f,
                           new AllFileSelector());
               } else {
                   System.out.println("Ignoring non-file " + f.getName());
               }
           } catch (FileSystemException ex) {
               throw new RuntimeException("Error getting file type for " +
                       f.getName(), ex);
           }

       }

       FileSystem fs = null;
       if (children.length > 0) {
           fs = children[0].getFileSystem(); // This works even if the src is closed.
           fsManager.closeFileSystem(fs);
       }
    }

我已经将我的私钥存储在一个已知的位置，并且我的公钥已经分发到服务器(我们已经测试这些密钥在使用其他工具连接时工作成功)。

我已经添加了下面这行代码

SftpFileSystemConfigBuilder.getInstance().setIdentities(this.opts, new File[]{new File("c:/Users/bobtbuilder/.ssh/id_dsa.ppk")});

这会成功地将私钥加载到整个框架中，但它再也不会使用该密钥进行进一步的身份验证。

任何最热情的帮助或指示

Answer 1

在反复挖掘之后，我终于自己找到了答案。似乎我的大部分麻烦都与私钥和公钥的格式有关

无论出于何种原因，privateKey都必须是openSSH格式的publicKey，只能从puttyGen窗口粘贴(导出公钥似乎总是给出缺少标题的公钥，这意味着freeSSHD windows服务器无法使用它)

不管怎样，下面是我最终想出的包括javadoc的代码，所以希望能省去一些我经历的痛苦。

/**
* Fetches a file from a remote sftp server and copies it to a local file location.  The authentication method used
* is public/private key authentication. <br><br>

* IMPORTANT: Your private key must be in the OpenSSH format, also it must not have a passphrase associated with it.
*    (currently the apache-commons-vfs2 library does not support passphrases)<p>
* 
* Also remember your public key needs to be on the sftp server.  If you were connecting as user 'bob' then your
* public key will need to be in '.ssh/bob' on the server (the location of .ssh will change depending on the type
* of sftp server)
* 
* @param server The server we care connection to 
* @param userName The username we are connection as
* @param openSSHPrivateKey The location of the  private key (which must be in openSSH format) on the local machine
* @param remoteDir The directory from where you want to retrieve the file on the remote machine (this is in reference to SSH_HOME, SSH_HOME is the direcory you 
* automatically get directed to when connecting)
* @param remoteFile The name of the file on the remote machine to be collected (does not support wild cards)
* @param localDir The direcoty on the local machine where you want the file to be copied to
* @param localFileName The name you wish to give to retrieved file on the local machine
* @throws IOException - Gets thrown is there is any problem fetching the file
*/
public static void sftpGetFile_keyAuthentication(String server, String userName, String openSSHPrivateKey,
    String remoteDir,String remoteFile, String localDir, String localFileName) throws IOException
{

   FileSystemOptions fsOptions = new FileSystemOptions();
   FileSystemManager fsManager = null;
   String remoteURL = "sftp://" + userName + "@" + server + "/" + remoteDir + "/" + remoteFile;
   String localURL  = "file://" + localDir + "/" + localFileName;

    try {
        SftpFileSystemConfigBuilder.getInstance().setStrictHostKeyChecking(fsOptions, "no");
        SftpFileSystemConfigBuilder.getInstance().setIdentities(fsOptions, new File[]{new File(openSSHPrivateKey)});
        fsManager = VFS.getManager();
        FileObject remoteFileObject = fsManager.resolveFile(remoteURL, fsOptions);
        LocalFile localFile =
                   (LocalFile) fsManager.resolveFile(localURL);
        localFile.copyFrom(remoteFileObject,
                   new AllFileSelector());
    } catch (FileSystemException e) {
        LOGGER.error("Problem retrieving from " + remoteURL + " to " + localURL,e );
        throw new IOException(e);
    }
}

Answer 2

我想这就是你要找的-

/**
* @param args
*/
public static void main(String[] args) {

    /*Below we have declared and defined the SFTP HOST, PORT, USER
            and Local private key from where you will make connection */
    String SFTPHOST = "10.20.30.40";
    int    SFTPPORT = 22;
    String SFTPUSER = "kodehelp";
    // this file can be id_rsa or id_dsa based on which algorithm is used to create the key
    String privateKey = "/home/kodehelp/.ssh/id_rsa";
    String SFTPWORKINGDIR = "/home/kodehelp/";

    JSch jSch = new JSch();
    Session     session     = null;
    Channel     channel     = null;
    ChannelSftp channelSftp = null;
    try {
        jSch.addIdentity(privateKey);
        System.out.println("Private Key Added.");
        session = jSch.getSession(SFTPUSER,SFTPHOST,SFTPPORT);
        System.out.println("session created.");

        java.util.Properties config = new java.util.Properties();
        config.put("StrictHostKeyChecking", "no");
        session.setConfig(config);
        session.connect();
        channel = session.openChannel("sftp");
        channel.connect();
        System.out.println("shell channel connected....");
        channelSftp = (ChannelSftp)channel;
        channelSftp.cd(SFTPWORKINGDIR);
        System.out.println("Changed the directory...");
    } catch (JSchException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (SftpException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }finally{
        if(channelSftp!=null){
            channelSftp.disconnect();
            channelSftp.exit();
        }
        if(channel!=null) channel.disconnect();

        if(session!=null) session.disconnect();
    }
}

有关详细信息，请访问

http://kodehelp.com/sftp-connection-public-key-authentication-java/

Answer 3

这篇文章和答案非常有帮助，非常感谢。

我只想在“当前apache-commons-vfs2库不支持密码短语”这句话中添加一个集成，就像我在密码短语中所做的那样，并且它起作用了。

您必须在项目中导入jsch库(我使用的是0.1.49)并实现接口"com.jcraft.jsch.UserInfo“。

下面这样的代码应该没问题：

public class SftpUserInfo implements UserInfo {

    public String getPassphrase() {
        return "yourpassphrase";
    }

    public String getPassword() {
        return null;
    }

    public boolean promptPassphrase(String arg0) {
        return true;
    }

    public boolean promptPassword(String arg0) {
        return false;
    }
}

然后你可以这样把它添加到SftpFileSystemConfigBuilder中：

SftpFileSystemConfigBuilder.getInstance().setUserInfo(fsOptions, new SftpUserInfo());

希望这能有所帮助。