Ticket #3921 (closed defect: fixed)

Opened 7 years ago

Last modified 5 years ago

support sftp keyborad interactive authentication

Reported by: adamm Owned by: andrew_b
Priority: major Milestone: 4.8.24
Component: mc-vfs Version: master
Keywords: Cc: howaboutsynergy@…, andrew_b, info@…
Blocked By: Blocking:
Branch state: merged Votes for changeset: committed-master

Description

When SSH server has cleartext password authentication disabled and only "keyboard-interactive" authentication enabled, then connection will fail. This happens with following sshd_config parameter,

PasswordAuthentication? no

And you can see these authentication methods with ssh -v hostname

libssh2_userauth_password only allows for Passoword authentication

libssh2_userauth_keyboard_interactive needs to be used for keyboard interactive authentication.

Attachments

sftp_ip.patch (3.7 KB) - added by adamm 7 years ago.
sftp_ip.2.patch (3.7 KB) - added by howaboutsynergy 5 years ago.
up to date patch (confirmed working)
sshd_config (6.8 KB) - added by howaboutsynergy 5 years ago.
sshd server config used to test

Change History

comment:1 Changed 7 years ago by adamm

Updated patch so it doesn't produce compile time warnings about unused parameters.

Changed 7 years ago by adamm

comment:2 Changed 6 years ago by howaboutsynergy

  • Cc howaboutsynergy@… added

comment:3 Changed 6 years ago by Vampik

The patch needs to be corrected for 4.8.23. super_data was renamed to sftpfs_super.

comment:4 Changed 6 years ago by zaytsev

  • Cc andrew_b added

Hi Andrew, the patch actually doesn't look too bad, does it? I think the same works for FISH already, so maybe we could take it... What do you think?

comment:5 follow-up: ↓ 6 Changed 6 years ago by andrew_b

How can I test this patch?
What options in sshd_config should I on/off to test this patch?

comment:6 in reply to: ↑ 5 Changed 5 years ago by Vampik

Replying to andrew_b:

How can I test this patch?
What options in sshd_config should I on/off to test this patch?

You should set

PasswordAuthentication no

in sshd_config. After that you will not be able to login without this patch.

comment:7 Changed 5 years ago by Vampik

BTW this is the default setting in Gentoo based distros. I wasn't able to use sftp in mc for a long time until I found this issue.

comment:8 Changed 5 years ago by howaboutsynergy

can't compile with patch

make[4]: Entering directory '/home/user/build/1packages/4used/mc-git/makepkg_pacman/mc/src/mc/src/vfs/sftpfs'
  CC       connection.lo
  CC       config_parser.lo
  CC       init.lo
  CC       dir.lo
  CC       file.lo
  CC       internal.lo
  CC       vfs_class.lo
  CC       vfs_subclass.lo
In file included from connection.c:37:
connection.c: In function ‘sftpfs_open_connection_ssh_password’:
connection.c:375:56: error: ‘super_data’ undeclared (first use in this function)
  375 |                 libssh2_userauth_keyboard_interactive (super_data->session,
      |                                                        ^~~~~~~~~~
connection.c:375:56: note: each undeclared identifier is reported only once for each function it appears in
make[4]: *** [Makefile:566: connection.lo] Error 1
make[4]: *** Waiting for unfinished jobs....

tested on:
commit 2dc676eeea612cb970163e2814a1ec4ec26a6cf4 (HEAD -> makepkg, origin/master, origin/HEAD)
Date: Sat Jul 13 08:58:52 2019 +0300

What's the value of AuthenticationMethods in /etc/ssh/sshd_config ?

comment:9 Changed 5 years ago by howaboutsynergy

For ssh -v hostname to work here's what you need(also added some stuff for 'mc' sftp to not fail for other reasons unrelated to this very issue):

Ciphers aes256-ctr
AuthenticationMethods keyboard-interactive:pam
PasswordAuthentication no
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes                                                                                             
UsePAM yes
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
HostKey /etc/ssh/ssh_host_rsa_key
LogLevel VERBOSE
LoginGraceTime 30s                                                                                                              
PermitRootLogin yes
StrictModes yes
MaxAuthTries 5

(in /etc/ssh/sshd_config)

Should see it work like this:

$ ssh -v 127.0.0.1
...
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password: 

debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 127.0.0.1 ([127.0.0.1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Thu Jul 18 02:22:19 2019 from 127.0.0.1

on dmesg:

[ 3200.868402] sshd[18377]: Postponed keyboard-interactive for user from 127.0.0.1 port 36886 ssh2 [preauth]
[ 3205.053219] sshd[18377]: Postponed keyboard-interactive/pam for user from 127.0.0.1 port 36886 ssh2 [preauth]
[ 3205.053579] sshd[18377]: Accepted keyboard-interactive/pam for user from 127.0.0.1 port 36886 ssh2
[ 3205.054218] sshd[18377]: pam_unix(sshd:session): session opened for user user by (uid=0)
[ 3205.056994] systemd-logind[649]: New session 4 of user user.
[ 3205.057667] systemd[1]: Started Session 4 of user user.
[ 3205.061256] sshd[18377]: User child is on pid 18405
[ 3205.064639] sshd[18405]: Starting session: shell on pts/15 for user from 127.0.0.1 port 36886 id 0

If you use the above and try from (unpatched)mc via cd sftp://user@127.0.0.1
you see dmesg:

[ 3138.811924] sshd[18059]: Received disconnect from 127.0.0.1 port 36884:11: Normal Shutdown [preauth]
[ 3138.812505] sshd[18059]: Disconnected from authenticating user user 127.0.0.1 port 36884 [preauth]

comment:10 Changed 5 years ago by howaboutsynergy

ok according to commit 3e08cc722680bba3e3dc65541377ce033efeec45
Date: Wed Aug 17 13:54:08 2016 +0300

super_data->session should be sftpfs_super->session

-    userauthlist = libssh2_userauth_list (super_data->session, super->path_element->user,
+    userauthlist = libssh2_userauth_list (sftpfs_super->session, super->path_element->user,
                                           strlen (super->path_element->user));

Changed 5 years ago by howaboutsynergy

up to date patch (confirmed working)

Changed 5 years ago by howaboutsynergy

sshd server config used to test

comment:11 follow-up: ↓ 12 Changed 5 years ago by andrew_b

I'm trying to use the following minimalistic sshd_config:

Port 22
AddressFamily inet
ListenAddress 127.0.0.1
Protocol 2
PermitRootLogin no
AuthenticationMethods keyboard-interactive
PasswordAuthentication no
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
UsePAM no
LogLevel VERBOSE
StrictModes yes
MaxAuthTries 5
Subsystem sftp /usr/lib/openssh/sftp-server

No success.

I cannot login in shell:

$ ssh -v 127.0.0.1
OpenSSH_7.2p2, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /home/andrew/.ssh/config
debug1: Reading configuration data /etc/openssh/ssh_config
debug1: /etc/openssh/ssh_config line 20: Applying options for *
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 127.0.0.1:22 as 'andrew'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:FzqKTNTroFuNUj0wUzSeV2x/1lpcESnT0ZRCmq5H6o8
debug1: Host '127.0.0.1' is known and matches the ED25519 host key.
debug1: Found key in /home/andrew/.ssh/known_hosts:22
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: keyboard-interactive
debug1: No more authentication methods to try.
ssh: Permission denied (keyboard-interactive).

I do "SFTP link..." to "sftp://127.0.0.1/home/andrew". In both mcs (non-patched and patched) result the same: password is being asked, then "Cannot chdir to "/sftp://127.0.0.1/home/andrew".

comment:12 in reply to: ↑ 11 Changed 5 years ago by howaboutsynergy

Replying to andrew_b:

I'm trying to use the following minimalistic sshd_config:

Port 22
AddressFamily inet
ListenAddress 127.0.0.1
Protocol 2
PermitRootLogin no
AuthenticationMethods keyboard-interactive
PasswordAuthentication no
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
UsePAM no

all you need here is:
UsePAM yes

LogLevel VERBOSE
StrictModes yes
MaxAuthTries 5
Subsystem sftp /usr/lib/openssh/sftp-server

No success.

I cannot login in shell:

$ ssh -v 127.0.0.1

and this will work!

I do "SFTP link..." to "sftp://127.0.0.1/home/andrew". In both mcs (non-patched and patched) result the same: password is being asked, then "Cannot chdir to "/sftp://127.0.0.1/home/andrew".

however for some reason, for me just now, mc got stuck, in
29 return SYSCALL_CANCEL (poll, fds, nfds, timeout);
but I believe this is a temporary issue that happens sometimes with this glibc that I'm using: local/glibc 2.29.9000.r381.g30ba0375464-1

Ok I figured out why it got hung: it's because I used your config's
Subsystem sftp /usr/lib/openssh/sftp-server but that file doesn't exist for me in ArchLinux?, so if I use Subsystem sftp /usr/lib/ssh/sftp-server then mc doesn't hang in SYSCALL_CANCEL as I mentioned above!

PS: For mc to can sftp:// , you also need HostKey /etc/ssh/ssh_host_rsa_key in sshd_config or else you get something about no matching key on dmesg.

Last edited 5 years ago by howaboutsynergy (previous) (diff)

comment:13 Changed 5 years ago by andrew_b

  • Owner set to andrew_b
  • Status changed from new to accepted
  • Branch state changed from no branch to on review
  • Milestone changed from Future Releases to 4.8.24

Branch: 3921_sftpfs_keyboard_interactive_auth
changeset:3dbf177ee2ff0be0c2d13ae06f0a99f8e7dcd4df

comment:14 Changed 5 years ago by metux

  • Cc info@… added

comment:15 Changed 5 years ago by andrew_b

  • Votes for changeset set to andrew_b
  • Branch state changed from on review to approved

comment:16 Changed 5 years ago by andrew_b

  • Status changed from accepted to testing
  • Votes for changeset changed from andrew_b to committed-master
  • Resolution set to fixed
  • Branch state changed from approved to merged

comment:17 Changed 5 years ago by andrew_b

  • Status changed from testing to closed
Note: See TracTickets for help on using tickets.