SSH <cfftp> throws com.jcraft.jsch.JSchException: Auth fail


Hello Wonderful People,

I am trying to use <cfftp> for an SSH connection for the first time and needing some help.

I am using the following attributes:

<cfftp action = "open"
	username = "***"
	connection = "PrismaConnection"
	password = "***"
	fingerprint = "***"
	server = "***"
	secure = "yes">

The above credentials work with WinSCP.

I am getting the following error message:

Lucee Error (

com.jcraft.jsch.JSchException: Auth fail

The Error Occurred in
**C:\iis\\wwwroot\reed_report\getToday360Files.cfm: line 16** 
> 14: fingerprint = "7b:0b:a0:bc:fc:50:dd:f3:1c:dc:7b:33:e3:6c:09:0c"
> 15: server = "***"
> **16: secure = "yes">**
> 17: 
> 18: <p>Did it succeed? <cfoutput>#cfftp.succeeded#</cfoutput>  

Java Stacktrace
lucee.runtime.exp.NativeException: com.jcraft.jsch.JSchException: Auth fail 

Any ideas on what to try would be helpful!



While the Lucee gurus investigate this,
Take a look at Denny’s cfssh


Thanks, webonix, for the idea.

We do have an alternative solution using WinSCP, but I am wondering whether the built in <cfftp> is supposed to function as advertised :slight_smile:



Well, passive doesn’t mean anything for SSH based FTP, and that’s the
highlighted line - so maybe remove that?


Thanks for looking into this, Joe!

It still doesn’t work w/o “passive”.
I guess I was just trying stuff to see if it’s going to help. I think it just highlights the last line before the end of the tag.

I just edited the error message to avoid confusion.


I haven’t had the chance to read this thread here, but in general everything is supposed to function “as advertised”. If it does not, then please file a bug in JIRA


Fingerprint is also optional - and I could see if that didn’t match, it
could throw an “Auth Fail”

Try removing that - if that helps, then you probably need to check the
fingerprint of the remote against the fingerprint you’re supplying.


Thanks for the suggestion Joe.

I just tried it w/o the fingerprint - same result.

How can I check the fingerprint on the remote? Where do I look for it?



I am first trying to determine whether this is a bug or I am not using the tag correctly or missing something.

Will file a bug once I am confident that I am not making a mistake. First wanted to hear if others have used the <cfftp> successfully to establish an SSH connection…


Add port=22

This cfscript code works for me:

srv = new ftp();

As for the fingerprint, Lucee compares it against JSCH’s
getHostKey().getFingerprint() method, which is defined as:
returns the key’s fingerprint (i.e. a lowercase hexadecimal representation
of the MD5 of the key.)

Something like this

Will get it - basically you can use ssh-keyscan on an OpenSSH machine to
get the host key in base64 mode. You’d need to decode the base64, and
re-encode with hex.

Also note that you’ll get different fingerprints for different hostkey
algorithms - i.e. ED25519 is different from RSA. (and HOPEFULLY you don’t
have DSS)


Thanks Joe for more ideas!

Adding the port number didn’t help.

Will look into making sure I am using the correct fingerprint a bit later!


Try using cfscript - I have heard of someone having issue with tag and
connection attribute, but work d in script

Could have been some other issue, but worth a try


I’ve been converting a standard FTP procedure using cfftp to SFTP by switching on the secure attribute and it seems to work ok.

Makes no difference if I use script or tags.

Specifying port=22 isn’t necessary as this is the default when using the secure attribute.

Perhaps there is something unusual about the server you are connecting to, Marianna? Is there anything in the Session settings or Advanced settings for the working connection in WinSCP that might give you a clue?


And just to make sure all bases are covered: I take it you’ve double/triple checked the username/password attributes are exactly the same as in WinSCP?

Also, what version of Java are you using with Lucee?

dump( );
dump( );


Thanks for your suggestions, Julian!
Here’s what I am getting:

|string|Oracle Corporation|

I believe version 8 is the latest?

You are not using a <fingerprint>? Is this not required?

Will try to find out if there is anything “unusual” about the server… I don’t have direct access to it…



I am seeing that in your code you’re not using a fingerprint. Is it not required?



Yes, that’s clearly not the issue then.

My connection seems to work fine without it.


Thanks webonix!

I tried with cfscript - no luck! :frowning:


Also, here it says:

Lucee does not support authentication by public key.

I don’t know enough about SSH to tell if this is related to the difficulty I am having…

Could anyone clarify whether public keys and fingerprints are related?


Something that can be very useful in situations like this is “debug logging”.

The JSCH library that we’re using here supports logging, but does not provide any useful implementation “out of the box”:

That can be added in Lucee though. Anyone cares to open a ticket for that in JIRA?