Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

JSch SFTP security with session.setConfig("StrictHostKeyChecking", "no");

Tags:

public-key

key-pair

sftp

jsch

I use JSch with private key to FTP file

  1. jsch.addIdentity(privatekeyfile);
  2. Session session = jsch.getSession( "user", "domain.com" ,22);
  3. session.setConfig("StrictHostKeyChecking", "no");

Line 3 is in question. Without this line, JSch does not work.

My question is: Will line 3 make SFTP transfer insecure?

like image 507
Tony Avatar asked May 11 '15 22:05

Tony

People also ask

What is StrictHostKeyChecking in SFTP?

Rejects incoming SSH host keys from remote servers not in the known host list. off. Accepts incoming SSH host keys from remote servers not in the known host list. This setting is the default value.

What is StrictHostKeyChecking in JSch?

Description​ The JSch StrictHostKeyChecking configuration is set to no, this indicates that connections may be made to unknown servers or servers that have changed their keys, generating new ones and adding them by default to the known server files.

1 Answers

Disabling the StrictHostKeyChecking option will make the connection less secure than having the option enabled, because it will let you connect to remote servers without verifying their SSH host keys. If the option is enabled, you will only be able to connect to servers which keys are known to your SSH client.

You will have to decide what that means for your specific use case - are the servers you are connecting on a private, local network or do you connect over the internet? Is this a testing or production environment?

When in doubt, it is better to err on the side of more security. I would recommend enabling StricktHostKeyChecking and using the setKnownHosts method to provide a file which contains the remote host keys.

like image 161
Ben Damer Avatar answered Sep 23 '22 23:09

Ben Damer
Sign in to Comment

Related questions

Streaming a file from SharpSSH
sftp versus SOAP call for file transfer
Upload files to SFTP server via PHP (phpseclib)
connect to a server via sftp php
Move and Rename file on ftp site with Ruby
Eclipse on Ubuntu: How do I access projects remotely over mounted SFTP connections?
Usage of select() for timeout
multiple connections in 1 project with sftp (sublime text 2)
Does SSH.NET accept only OpenSSH format of private key? If not, what are the restrictions?
Transfer file from AWS S3 to SFTP using Boto 3
Good simple C/C++ FTP and SFTP client library recommendation for embedded Linux [closed]
How to use apache vfs2 for sftp with public-private-key and without password
Python pysftp get_r from Linux works fine on Linux but not on Windows
using pscp.exe for sftp transfer is very slow compared to filezilla
Laravel Storage SFTP and uploaded files permissions
What would be a recommended choice of SSIS component to perform SFTP or FTPS task? [closed]
How to rename a file with sftp get command
JSch Algorithm negotiation fail
Apache Mina SFTP SftpSubsystem.Factory()
What is going to overtake FTP and why aren't we using it yet?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!