When connecting to an SSHFTP server BC returns: "No peer public key is set to verify, must not trust peer blindly" When using WinSCP or another third-party application, I can connect without issue.What is the cause?
Article ID: KB0078288
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessConnect | - |
| Not Applicable | - |
Description
Description:
NOTE: BC 5.3 and above includes a new wizard in the SSHFTP transport configuration screen that does fetches the private key automatically.
First, check that you have configured the server's credential (public key) in the SSHFTP configuration.
If you do not have a server credential, please read:
Customers have reported that third party SSHFTP clients (such as WinSCP) can communicate without issue with trading partner SSHFTP servers while BC reports errors. The error that is reported in the BC log is:
599. StatusMsg from Transport is: SSH Exception: SshMgr: Ssh Transport creation failed: XXXXXXX ==> a.b.com:10022: Key exchange failed: Host authentication failed
599. StatusMsg from Transport is: SSH Exception: SshMgr: Ssh Transport creation failed: XXXXXXX ==>
==> a.b.com:10022: No peer public key is set to verify, must not trust peer blindly.
SshMgr: Ssh transport disconnected due to fatal errors: Host authentication failed []. Peer session:
This error occurs because the trading partner SSHFTP server’s public key is not configured in BC. BC must authenticate the server with which it is communicating, and it does this by verifying the public key presented by the server against a previously stored public key. BC does this to provide authentication security for B2B transactions using
SSHFTP.
Some trading partners do not want to distribute their public host key on their SSHFTP server to trading partners. The SSHFTP RFC is ambiguous on this issue:
From RFC 4251 Chapter 4 "Architecture" Section 4.1 "Host Keys":
"Each server host SHOULD have a host key. . . . .
"The server host key is used during key exchange to verify that the client is really talking to the correct server. For this to be possible, the client must have a priori knowledge of the server's public host key."
However, later in this section:
“The protocol provides the option that the server name - host key association is not checked when connecting to the host for the first time. This allows communication without prior communication of host keys or certification. The connection still provides protection against passive listening; however, it becomes vulnerable to active man-in-the-middle attacks. Implementations SHOULD NOT normally allow such connections by default, as they pose a potential security problem.“
This clause indicates that SSHFTP clients can communicate without prior knowledge of the SSHFTP server's public key (which is what the third party application do), but warns of the security problem in doing it.
In cases where the trading partner can not distribute the public key to you, follow these steps.
1. Download and install “OpenSSH for Windows” from http://sourceforge.net/projects/sshwindows
2. Type in the following command from the OpenSSH/bin directory:
ssh -p <SSHFTP port number> <username>@<hostname> -o HostKeyAlgorithms="ssh-dss,ssh-rsa"
Accept whatever the server sends. This will update the known_hosts file with the public key of the SSHFTP server.
3. Go to the known_hosts file (usually located in C:\Documents and Settings\<your username>\.ssh. Open the file, and look for a line that looks like this:
<trading partner SSHFTP server name>,<TP SSHFTP server IP address> ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAqXwIsZ4ehyUa8MaFH8p355tXK6BY/Eh+zOWPwj6rihkOoZxrxMTwg1ZAsnQMhgYtKxNml8/5RdqWknSKwkdnoC+lj2SR+ade1XqkHSYHp2zPMD/ItGdF4AwazKYkhsjl8/OcTgP/DBtGJNMHfEBC/n30FjdGhokSfWPK4Xsp9k=
This is the public key for the SSHFTP server. The long string is the public key. If there is both a RSA and a DSS key for the same server, take the DSS key.
4. Copy this line into a new file, and modify the line in the new file so it looks like this (move the DNS name from the beginning of the line and append it to the end of the public key with a space separating it from the key; remove the IP address):
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAqXwIsZ4ehyUa8MaFH8p355tXK6BY/Eh+zOWPwj6rihkOoZxrxMTwg1ZAsnQMhgYtKxNml8/5RdqWknSKwkdnoC+lj2SR+ade1XqkHSYHp2zPMD/ItGdF4AwazKYkhsjl8/OcTgP/DBtGJNMHfEBC/n30FjdGhokSfWPK4Xsp9k= <trading partner SSHFTP server name>
5. Save the modified file with a .pub suffix, and upload the public key into BC trading partner SSHFTP server configuration as the server credential.
Environment
all platforms.
Issue/Introduction
When connecting to an SSHFTP server BC returns:
"No peer public key is set to verify, must not trust peer blindly"
When using WinSCP or another third-party application, I can connect without issue.What is the cause?
Feedback
Yes
No
Powered by
