How do I implement a secure SSH proxy tunnel using JSch?

By I Wayan Saryada in JSch 0 Comment

To implement a secure SSH proxy tunnel using JSch (Java Secure Channel library), you can follow these steps. JSch is a Java library designed to perform SSH operations like creating tunnels, port forwarding, and other remote operations.

Here’s a detailed implementation guide:

1. Code for Creating an SSH Proxy Tunnel

Here’s how you can create a local-to-remote port forwarding (a tunnel) using JSch:

package org.kodejava.jsch;

import com.jcraft.jsch.JSch;
import com.jcraft.jsch.Session;

public class SSHProxyTunnel {
   public static void main(String[] args) {
      String sshHost = "example.com";
      int sshPort = 22;
      String sshUser = "username";
      String sshPassword = "password";
      String remoteHost = "remote.server.com";
      int localPort = 8080;   // Local port to bind
      int remotePort = 80;    // Remote port to forward to

      Session session = null;
      try {
         // Create JSch instance
         JSch jsch = new JSch();

         // Create a session with the SSH server
         session = jsch.getSession(sshUser, sshHost, sshPort);
         session.setPassword(sshPassword);

         // Avoid asking for key confirmation
         session.setConfig("StrictHostKeyChecking", "no");

         // Connect to the SSH server
         System.out.println("Connecting to SSH server...");
         session.connect();

         // Setup local port forwarding
         int assignedPort = session.setPortForwardingL(localPort, remoteHost, remotePort);
         System.out.println("SSH Tunnel established:");
         System.out.println("LocalPort: " + localPort + " -> RemoteHost: " + remoteHost + ":" + remotePort);
         System.out.println("AssignedPort: " + assignedPort);

         System.in.read();
      } catch (Exception e) {
         e.printStackTrace();
      } finally {
         // Cleanup and disconnect
         if (session != null && session.isConnected()) {
            session.disconnect();
         }
      }
   }
}

2. Explanation

  • SSH Server (Jump Host): The sshHost is the host of the jumphost (or bastion) server you will connect to using SSH.
  • Remote Server (Backend Host): The remoteHost is the internal server you want to connect to through the SSH server, using the tunnel.
  • Local Port: The port on your local machine that acts as an entry point to the proxy tunnel.
  • Remote Port: The port on the remote server that your request should be forwarded to.

3. How Port Forwarding Works

  1. Local Port Forwarding: session.setPortForwardingL(localPort, remoteHost, remotePort) forwards traffic to a local port (e.g., port 8080 on your machine) through the SSH server and to the remote server and port you specify. For example, accessing http://localhost:8080 would route traffic to remote.server.com:80 through the SSH tunnel.

4. Security Enhancements

Here are some best practices to improve the security of your implementation:

  • Key Authentication: Use an SSH key instead of a password for authentication. This can be done by calling jsch.addIdentity("path-to-private-key"):
jsch.addIdentity("/path/to/private-key");
  • StrictHostKeyChecking: Avoid turning off strict host key checking (StrictHostKeyChecking=no) in production. Configure trusted known hosts instead.
jsch.setKnownHosts("/path/to/known_hosts");
  • Close Resources: Ensure session.disconnect() is always called, preferably in a try-with-resources block or a finally block.

5. Advanced Configuration (Optional)

  • Using a Proxy: If the SSH server is behind a proxy, you can use ProxySOCKS5 or ProxyHTTP to configure the proxy.
  • Timeouts: Set connection and session timeouts for better handling of connection issues:
session.setTimeout(30000); // Timeout in milliseconds

6. Testing the Tunnel

  1. Run the program.
  2. Open your browser or terminal and access http://localhost:8080.
  3. You should see the data served by remote.server.com:80.

Example Use Case

You could use this setup to securely connect to a database on a remote server (e.g., Postgres or MySQL) without exposing the server directly to the internet.

Maven Dependencies

<dependency>
    <groupId>com.jcraft</groupId>
    <artifactId>jsch</artifactId>
    <version>0.1.55</version>
</dependency>

Maven Central

How do I check file existence and permissions over SFTP using JSch?

By I Wayan Saryada in JSch 0 Comment

To check for file existence and permissions over an SFTP connection using JSch in Java, you need to use the ChannelSftp class provided by the JSch library. Here’s how you can do it step by step:

Steps:

  1. Establish an SFTP connection using the JSch class.
  2. Open an SFTP channel (ChannelSftp).
  3. Use ChannelSftp.lstat() to check the existence and permissions of a file.

Example Code:

package org.kodejava.jsch;

import com.jcraft.jsch.*;

public class SFTPFileCheck {
   public static void main(String[] args) {
      String username = "username";
      String host = "example.com";
      int port = 22; // Default SFTP port
      String privateKey = "/path/to/private/key";
      String filePath = "/path/to/remote/file";

      JSch jsch = new JSch();
      Session session = null;
      ChannelSftp channelSftp = null;

      try {
         // Set up authentication with SSH private key
         jsch.addIdentity(privateKey);
         session = jsch.getSession(username, host, port);

         // Disable strict host key checking for simplicity
         session.setConfig("StrictHostKeyChecking", "no");

         // Connect to the SFTP server
         session.connect();

         // Open an SFTP channel
         channelSftp = (ChannelSftp) session.openChannel("sftp");
         channelSftp.connect();

         // Check if the file exists and get its attributes
         try {
            SftpATTRS attrs = channelSftp.lstat(filePath);

            // File exists, print permissions
            System.out.println("File exists: " + filePath);
            System.out.println("Permissions: " + attrs.getPermissionsString());
            System.out.println("Size: " + attrs.getSize() + " bytes");
         } catch (SftpException e) {
            if (e.id == ChannelSftp.SSH_FX_NO_SUCH_FILE) {
               // File does not exist
               System.out.println("File does not exist: " + filePath);
            } else {
               // Other SFTP error
               e.printStackTrace();
            }
         }

      } catch (Exception e) {
         e.printStackTrace();
      } finally {
         // Disconnect from SFTP
         if (channelSftp != null && channelSftp.isConnected()) {
            channelSftp.disconnect();
         }
         if (session != null && session.isConnected()) {
            session.disconnect();
         }
      }
   }
}

Explanation:

  1. Session Setup:
    • jsch.addIdentity(privateKey) is used to authenticate using an SSH private key; replace this with setPassword() if you’re using a username/password.
  2. File Check:
    • channelSftp.lstat(filePath) is used to get file attributes. If the file does not exist, it throws an SftpException with the SSH_FX_NO_SUCH_FILE error code.
  3. Permissions:
    • attrs.getPermissionsString() provides the permissions in a Unix-style format (e.g., -rw-r--r--).
  4. Error Handling:
    • Catch SftpException to handle specific cases, such as file not found or other SFTP-related errors.
  5. Cleanup:
    • Disconnect the SFTP channel and session when done to free up resources.

Notes:

  • Make sure you have the jsch-<version>.jar file added to your project’s classpath.
  • Ensure network connectivity, appropriate SSH access, and file permissions on the remote server.
  • For large-scale applications, consider using a logging framework (e.g., SLF4J) rather than System.out.

This example provides the basic workflow for checking file existence and retrieving permissions over SFTP using JSch.

Maven Dependencies

<dependency>
    <groupId>com.jcraft</groupId>
    <artifactId>jsch</artifactId>
    <version>0.1.55</version>
</dependency>

Maven Central

How do I manage timeout and keep-alive settings in JSch sessions?

By I Wayan Saryada in JSch 2 Comments

When working with SSH connections using JSch (a popular Java SSH library), it’s important to configure timeouts and keep-alive behavior correctly. This helps you:

  • Avoid hanging indefinitely when a server or network becomes unresponsive
  • Detect dead connections in a predictable way
  • Keep long-lived sessions alive across unstable networks

This article explains how to manage timeouts and keep-alive (server-alive) messages in JSch, and clarifies how the different settings interact internally.

1. Timeouts and keep-alive in JSch: the concepts

JSch gives you three main knobs related to “how long to wait” and “how to detect dead connections”:

  1. Connect timeout
    How long JSch waits while establishing the TCP/SSH connection before giving up.

  2. Socket read timeout
    How long JSch waits for data when reading from the socket before treating it as a timeout.

  3. Server-alive (SSH-level keep-alive) interval and count
    Periodic “are you alive?” messages sent by the client when the connection is idle, to detect broken connections.

A key detail in JSch’s implementation is that setTimeout(int) and setServerAliveInterval(int) share the same internal timeout field. That means whichever one you call last will determine the effective socket read timeout.

2. Configuring timeouts with setTimeout and connect(...)

2.1 Session.setTimeout(int timeout)

You configure the session timeout (in milliseconds) using:

session.setTimeout(30_000); // 30 seconds

In JSch, this value is used as:

  • The socket read timeout, and
  • The default connection timeout when you call: 
    session.connect(); // no argument

If no data is received within this timeout during a read operation, JSch throws an exception (typically a java.net.SocketTimeoutException wrapped in a JSch exception).

2.2 Session.connect() vs Session.connect(int connectTimeout)

You can control the connect timeout in two ways:

  1. Implicit connect timeout via setTimeout 
    session.setTimeout(30_000);
session.connect(); // uses 30 seconds as connect timeout and read timeout
  2. Explicit connect timeout via overloaded connect(int) 
    session.setTimeout(30_000); // read timeout
session.connect(10_000);    // connect timeout = 10 seconds

Here:

  • 10_000 ms is used only for the time spent establishing the connection.
  • The socket read timeout after connection is still 30_000 ms (from setTimeout, or from setServerAliveInterval if you call that later).

3. Enabling SSH-level keep-alive with setServerAliveInterval

JSch provides a mechanism often referred to as server-alive messages (sometimes called SSH-level keep-alive). These are SSH protocol messages sent by the client when the connection is idle.

  • ⚠️ This is not the same as TCP SO_KEEPALIVE.
  • JSch’s server-alive feature is implemented at the SSH layer, not as a low-level TCP socket option.

You configure it using:

session.setServerAliveInterval(15_000); // 15 seconds
session.setServerAliveCountMax(3);      // send up to 3 unanswered keep-alives
  • setServerAliveInterval(intervalMillis)
    JSch will send a server-alive message if no data is received for intervalMillis milliseconds.

  • setServerAliveCountMax(count)
    If count consecutive server-alive messages go unanswered, JSch treats the connection as dead and disconnects.

3.1 Important interaction: setServerAliveInterval and setTimeout

Internally, JSch uses a single timeout field that both setTimeout(int) and setServerAliveInterval(int) influence. That means:

session.setTimeout(30_000);          // 30 seconds
session.setServerAliveInterval(15_000);

After these calls, the effective socket read timeout becomes 15 seconds, because setServerAliveInterval(15_000) updates the same internal timeout used for reads.

In other words:

  • setTimeout and setServerAliveInterval are not independent.
  • The value set last will be the one that applies to socket read timeouts.

This is a common source of confusion, and it’s important to keep in mind when combining these settings.

4. Example: session with timeout and keep-alive

The following example demonstrates a typical configuration where you:

  • Use a single value for read timeout and keep-alive interval (to match JSch’s internal behavior), and
  • Use a different value for the connect timeout via connect(int).
package org.kodejava.jsch;

import com.jcraft.jsch.JSch;
import com.jcraft.jsch.Session;

public class JSchTimeoutExample {
    public static void main(String[] args) {
        try {
            JSch jsch = new JSch();
            Session session = jsch.getSession("username", "host", 22);

            // Set credentials
            session.setPassword("password");

            // Configure session
            // In production, avoid disabling StrictHostKeyChecking like this
            // and make sure host keys are managed securely.
            session.setConfig("StrictHostKeyChecking", "no");

            // Configure the session timeout and keep-alive using a single value.
            // In JSch, setServerAliveInterval() internally updates the same
            // timeout as setTimeout(), so they share the same underlying value.
            int timeoutAndKeepAliveMs = 15_000;

            // This sets both:
            // - the SSH-level keep-alive interval, and
            // - the internal timeout used for socket read operations.
            session.setServerAliveInterval(timeoutAndKeepAliveMs);
            session.setServerAliveCountMax(3);

            // Optionally, use a separate (shorter) connect timeout:
            // This value only affects how long we wait to establish the connection.
            session.connect(10_000); // 10 seconds connect timeout

            // Perform your SSH operations here...
            // e.g., open channels, execute commands, transfer files, etc.

            // Disconnect when done
            session.disconnect();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

This configuration gives you:

  • Keep-alive interval: 15 seconds
  • Socket read timeout: 15 seconds (same underlying value)
  • Connect timeout: 10 seconds (via connect(10_000))

5. Option: only timeout, without keep-alive

In some environments, you may not need JSch’s server-alive feature:

  • The network is stable and connections are short-lived, or
  • The server or your application has its own mechanism to detect idle / dead connections.

In that case, you can keep the configuration simpler and only use setTimeout.

5.1 Only timeout, using the same value for connect and read

JSch jsch = new JSch();
Session session = jsch.getSession("username", "host", 22);
session.setPassword("password");

// For production, manage host keys properly instead of disabling this.
session.setConfig("StrictHostKeyChecking", "no");

// 30 seconds socket read timeout.
// This value is also used as the default connect timeout
// when calling connect() without parameters.
session.setTimeout(30_000);

session.connect(); // connect timeout = 30 seconds, read timeout = 30 seconds

// ... use the session ...

session.disconnect();

5.2 Different connect timeout vs read timeout

If you want a shorter connect timeout but a longer read timeout, you can combine setTimeout with connect(int):

JSch jsch = new JSch();
Session session = jsch.getSession("username", "host", 22);
session.setPassword("password");
session.setConfig("StrictHostKeyChecking", "no");

// Read timeout after connection is established
session.setTimeout(30_000);  // 30 seconds

// Connect timeout for establishing the TCP/SSH connection
session.connect(10_000);     // 10 seconds

// ... use the session ...

session.disconnect();

Here:

  • If the server cannot be reached within 10 seconds, connect(10_000) fails.
  • Once connected, read operations will time out after 30 seconds of inactivity.

6. Option: custom keep-alive logic

Instead of relying on JSch’s server-alive feature, you can implement a custom keep-alive in your application logic. This gives you more control and visibility.

A common pattern:

  1. Use a scheduler (e.g. ScheduledExecutorService) to run a task every N seconds.
  2. That task sends a lightweight command to the server via an SSH channel (for example echo 1 or true).
  3. If the command fails, times out, or throws an exception, treat the session as broken and:
  • Close the session, and
  • Optionally create a new one.

This approach is more verbose but can be useful when you need:

  • Application-level monitoring of connection health
  • Detailed logging of keep-alive failures
  • Integration with your own reconnection or failover logic

7. Best practices and gotchas

To wrap up, here are some practical recommendations:

  1. Be aware of the shared timeout field
    Remember that setTimeout(int) and setServerAliveInterval(int) share the same internal timeout. The last one called effectively “wins” for the socket read timeout.

  2. Use connect(int) for fine-grained control of connect timeout
    If you care about “fast fail” when a server is unreachable, always use connect(int connectTimeout) instead of plain connect().

  3. Don’t disable StrictHostKeyChecking in production
    The example uses:

    session.setConfig("StrictHostKeyChecking", "no");

    This is convenient for demos and testing, but insecure in production. Properly manage known hosts and host key verification.

  4. Tune keep-alive carefully on unstable networks
    A very short server-alive interval can cause aggressive disconnects on noisy networks. Start with moderate values (e.g., 15–30 seconds interval, 3–5 max count) and adjust based on real-world behavior.

  5. Always close sessions cleanly
    Call session.disconnect() when you’re done. Leaking sessions can exhaust resources on both client and server.

By understanding how JSch handles timeout and keep-alive settings internally—especially the shared timeout field used by setTimeout and setServerAliveInterval—you can configure your SSH sessions to behave predictably and handle network issues more gracefully.

How do I configure key-based authentication with a passphrase using JSch?

By I Wayan Saryada in JSch 0 Comment

When using JSch (Java Secure Channel) for SSH key-based authentication with a passphrase, you need to set your private key file (which is protected by the passphrase) and optionally the passphrase itself. Below is an example demonstrating how to configure key-based authentication using JSch:

Code Example

package org.kodejava.jsch;

import com.jcraft.jsch.*;

public class JSchKeyBasedAuthentication {
    public static void main(String[] args) {
        String host = "example.com";         // Remote server hostname/IP
        String user = "username";            // SSH username
        String privateKey = "/path/to/private/key"; // Path to your private key
        String passphrase = "passphrase";    // Passphrase for the private key

        JSch jsch = new JSch();

        try {
            // Add the private key (with passphrase)
            jsch.addIdentity(privateKey, passphrase);

            // Create an SSH session
            Session session = jsch.getSession(user, host, 22);

            // Disable host key checking for simplicity (not recommended for production)
            session.setConfig("StrictHostKeyChecking", "no");

            // Connect to the server
            session.connect();

            System.out.println("Connected to the server!");

            // Once connected, you can execute commands, transfer files, etc.

            // Disconnect after use
            session.disconnect();
            System.out.println("Disconnected from the server.");
        } catch (JSchException e) {
            e.printStackTrace();
        }
    }
}

Explanation of the Code:

  1. jsch.addIdentity(privateKey, passphrase): This specifies the private key file and its passphrase for authentication. If the private key doesn’t have a passphrase, omit the passphrase parameter or pass null.
  2. session.setConfig("StrictHostKeyChecking", "no"): This disables host key checking. In a production environment, ensure you verify the server’s host key to prevent man-in-the-middle attacks.
  3. session.connect(): Establishes the SSH connection with the server using the provided private key.

Key Points:

  • Private Key Path: Ensure the private key file path is correct and accessible. It must be readable by the application.
  • Passphrase: If your private key is secured with a passphrase, you must provide it. If the private key is not secured with a passphrase, pass null instead.
  • Permissions: Ensure appropriate permissions on the private key file (e.g., chmod 600 on Unix-based systems).

Optional (To Load Known Hosts Manually):

To add known hosts verification:

jsch.setKnownHosts("/path/to/known_hosts");

This ensures the remote server’s key matches the key in the known_hosts file.

This configuration lets your Java application authenticate securely to an SSH server using a private key with a passphrase.

Maven Dependencies

<dependency>
    <groupId>com.jcraft</groupId>
    <artifactId>jsch</artifactId>
    <version>0.1.55</version>
</dependency>

Maven Central

How do I execute multiple commands sequentially using JSch ShellChannel?

By I Wayan Saryada in JSch 0 Comment

To execute multiple commands sequentially using JSch’s ChannelShell, you need to establish a persistent shell session and then pass the commands in sequence. The ChannelShell uses an input and output stream to communicate with the remote host. Here is a step-by-step approach and a sample implementation:

Steps to Execute Commands Sequentially

  1. Initialize the JSch session: Establish the connection to the server using JSch.
  2. Open a ChannelShell: Use the ChannelShell to create a shell session to the remote host.
  3. Set up input and output streams: Provide input to the remote shell via the shell channel’s OutputStream. Read the response using the shell channel’s InputStream.
  4. Write multiple commands sequentially: Write each command along with a newline (\n) to the shell channel’s output stream.
  5. Wait for execution: Read the output for each command or wait for the commands to finish execution using appropriate logic.
  6. Close the session: Close the input/output streams, the channel, and the session.

Sample Code for Sequential Command Execution

Below is an example of executing multiple commands sequentially using JSch’s ChannelShell:

package org.kodejava.jsch;

import com.jcraft.jsch.*;
import java.io.*;

public class JSchShellExample {
   public static void main(String[] args) {
      String host = "example.com";
      String user = "username";
      String password = "password";
      int port = 22; // Default SSH port

      JSch jsch = new JSch();
      Session session = null;

      try {
         // Step 1: Establish an SSH session
         session = jsch.getSession(user, host, port);
         session.setPassword(password);

         // Disable strict host key checking for demo purposes
         session.setConfig("StrictHostKeyChecking", "no");
         session.connect();

         // Step 2: Open a Shell Channel
         Channel channel = session.openChannel("shell");
         ChannelShell shellChannel = (ChannelShell) channel;

         // Step 3: Set up input and output streams
         OutputStream inputToShell = shellChannel.getOutputStream();
         PrintWriter writer = new PrintWriter(inputToShell, true);

         InputStream outputFromShell = shellChannel.getInputStream();
         BufferedReader reader = new BufferedReader(new InputStreamReader(outputFromShell));

         // Step 4: Connect the shell channel
         shellChannel.connect();

         // Step 5: Write multiple commands
         writer.println("pwd");
         writer.println("ls -l");
         writer.println("echo 'Done'");
         writer.println("exit"); // Exit the shell session

         // Step 6: Read the output from the shell
         String line;
         while ((line = reader.readLine()) != null) {
            System.out.println(line);
         }

      } catch (Exception e) {
         e.printStackTrace();
      } finally {
         // Step 7: Close everything
         if (session != null && session.isConnected()) {
            session.disconnect();
         }
      }
   }
}

Explanation of the Code

  1. Session Establishment: The JSch#getSession method establishes a session with the remote server by providing username, host, and port. The password is set using setPassword.

  2. Shell Channel: A shell session (ChannelShell) is used to execute a series of commands as if typed in an interactive shell.

  3. Input and Output Streams:

    • Input: Commands are sent to the shell via getOutputStream, and the PrintWriter is used to send multiple commands.
    • Output: The output of the commands is read from getInputStream.
  4. Commands:
    • Commands must be separated by newlines (\n).
    • The exit command is used to terminate the shell session.
  5. Output Reading:
    • The code continuously reads the output from the shell channel until the end of the stream.
  6. Cleanup: All resources (session, channel, streams) are closed to prevent resource leakage.

Key Points to Note

  1. Command Execution Nature:

    • All commands are executed sequentially, but since the shell is an interactive session, any command awaiting input (e.g., vi) will cause the program to hang unless the session is properly managed.
  2. Output Processing:
    • SSH servers don’t send output line-by-line but as a stream, so you need to handle it accordingly in your program.
  3. Error Handling:
    • Always handle exceptions such as connection errors, I/O issues, or authentication failures appropriately.
  4. Host Key Verification:
    • Disabling StrictHostKeyChecking can be a security concern. It is better to handle host key verification properly in a production environment.

This code demonstrates how to execute commands sequentially using the JSch shell channel. You can adjust and enhance it based on your requirements, such as using a configuration file or logging the outputs to a file.

Maven Dependencies

<dependency>
    <groupId>com.jcraft</groupId>
    <artifactId>jsch</artifactId>
    <version>0.1.55</version>
</dependency>

Maven Central