SSH <cfftp> throws com.jcraft.jsch.JSchException: Auth fail


SSH uses keys to communicate, there’s a host key and a user may have
their own key for authentication purposes.

The fingerprint verifies the client is connecting to the correct server
host key.
The public key is used to authenticate a user from the client side against
the server.

Different things

FYI: In Lucee which fixed - I added an option to show the debug output from JSch.

This might change slightly in the future, but to enable it as it is implemented now, add the system property lucee.debug.jsch=true. You can do that by passing the JVM option to the command that launches your Servlet container (e.g. Tomcat, Jetty, etc.) as follows:


Once enabled, all of the JSch debug output will be written to STDOUT, e.g. catalina.out, console, etc. (depending on your setup).


1 Like

I had regular ftp working via cfscript, 'cause via CFFTP (tags) it didn’t work. But recently the FTP-provider installed a certificate to make use of secure FTP, and now I am also having issues with FTP. I’ve added the secure flag and a specific port number, but a connection cannot be established. Not sure if that is due to authentication or due to how FTP works in CFML?

new ftp().open(

Does anyone have an idea what the Secure flag actually does? Does it do TLS/SSL EXPLICIT or TLS/SSL IMPLICIT? There is a difference - what that is I have never investigated or needed to know, but running into this issue now it seems I need to know.

I am on Lucee and I get the following errors:

com.jcraft.jsch.JSchException: timeout: socket is not established


com.jcraft.jsch.JSchException: Session.connect: Read timed out

Anyone @ Lucee know this, what the SECURE flag actually does?

And did you get it to work @MariannaAtPlay?

I’ve skimmed the source.

There are two protocols for FTP… Original FTP, which uses port 21. And SSH FTP (SFTP) which uses SSH and port 22. They are nothing alike. (Other than that you can transfer files with them)

There are two ways to get encryption w/ Original FTP - Port 990 SSL, and Port 21 + AUTH TLS (explicit).

Lucee’s implementation is in and the CFFtp tag is in lucee.runtime.tag.Ftp

When secure=true, you’re using SFTP (SSH)

When secure=false, you’re using FTP (non encrypted)

I’m not seeing any provisions to get apache FTPClient to do SSL… There’s a FTPSClient for SSL, with implicit and explicit modes, plus there’s whether the data channel should be encrypted or not (PROT command) all of which does not appear to be implemented at all in Lucee.

FTP plus certs can be problematic because of NAT - the FTP protocol existed BEFORE NAT, and so firewalls manipulate the control stream to fix IPs when they’re wrong - which they CANT do when they’re encrypted… Which makes diagnosing things tough.

CFFTP could be extended to do more, or you could use the underlying Apache FTPClient library and do it Java style… Either way you should submit a bug in JIRA.


I actually need FTPS functionality. Is this something that will be added to the CFFTP tag??

why not just use cfexecute to run a batch file to ftp or rsync the data you need?