support sftp keyborad interactive authentication

[adamm]

When SSH server has cleartext password authentication disabled and only "keyboard-interactive" authentication enabled, then connection will fail. This happens with following sshd_config parameter,

PasswordAuthentication? no

And you can see these authentication methods with ssh -v hostname

libssh2_userauth_password only allows for Passoword authentication

libssh2_userauth_keyboard_interactive needs to be used for keyboard interactive authentication.

[adamm]

Updated patch so it doesn't produce compile time warnings about unused parameters.

[Vampik]

The patch needs to be corrected for 4.8.23. super_data was renamed to sftpfs_super.

[zaytsev]

Hi Andrew, the patch actually doesn't look too bad, does it? I think the same works for FISH already, so maybe we could take it... What do you think?

[andrew_b]

How can I test this patch?
What options in sshd_config should I on/off to test this patch?

[Vampik]

Replying to andrew_b:

How can I test this patch?
What options in sshd_config should I on/off to test this patch?

You should set

PasswordAuthentication no

in sshd_config. After that you will not be able to login without this patch.

[Vampik]

BTW this is the default setting in Gentoo based distros. I wasn't able to use sftp in mc for a long time until I found this issue.

[howaboutsynergy]

can't compile with patch

make[4]: Entering directory '/home/user/build/1packages/4used/mc-git/makepkg_pacman/mc/src/mc/src/vfs/sftpfs'
  CC       connection.lo
  CC       config_parser.lo
  CC       init.lo
  CC       dir.lo
  CC       file.lo
  CC       internal.lo
  CC       vfs_class.lo
  CC       vfs_subclass.lo
In file included from connection.c:37:
connection.c: In function ‘sftpfs_open_connection_ssh_password’:
connection.c:375:56: error: ‘super_data’ undeclared (first use in this function)
  375 |                 libssh2_userauth_keyboard_interactive (super_data->session,
      |                                                        ^~~~~~~~~~
connection.c:375:56: note: each undeclared identifier is reported only once for each function it appears in
make[4]: *** [Makefile:566: connection.lo] Error 1
make[4]: *** Waiting for unfinished jobs....

tested on:
commit 2dc676eeea612cb970163e2814a1ec4ec26a6cf4 (HEAD -> makepkg, origin/master, origin/HEAD)
Date: Sat Jul 13 08:58:52 2019 +0300

What's the value of AuthenticationMethods in /etc/ssh/sshd_config ?

[howaboutsynergy]

For ssh -v hostname to work here's what you need(also added some stuff for 'mc' sftp to not fail for other reasons unrelated to this very issue):

Ciphers aes256-ctr
AuthenticationMethods keyboard-interactive:pam
PasswordAuthentication no
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes                                                                                             
UsePAM yes
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
HostKey /etc/ssh/ssh_host_rsa_key
LogLevel VERBOSE
LoginGraceTime 30s                                                                                                              
PermitRootLogin yes
StrictModes yes
MaxAuthTries 5

(in /etc/ssh/sshd_config)

Should see it work like this:

$ ssh -v 127.0.0.1
...
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password: 

debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 127.0.0.1 ([127.0.0.1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Thu Jul 18 02:22:19 2019 from 127.0.0.1

on dmesg:

[ 3200.868402] sshd[18377]: Postponed keyboard-interactive for user from 127.0.0.1 port 36886 ssh2 [preauth]
[ 3205.053219] sshd[18377]: Postponed keyboard-interactive/pam for user from 127.0.0.1 port 36886 ssh2 [preauth]
[ 3205.053579] sshd[18377]: Accepted keyboard-interactive/pam for user from 127.0.0.1 port 36886 ssh2
[ 3205.054218] sshd[18377]: pam_unix(sshd:session): session opened for user user by (uid=0)
[ 3205.056994] systemd-logind[649]: New session 4 of user user.
[ 3205.057667] systemd[1]: Started Session 4 of user user.
[ 3205.061256] sshd[18377]: User child is on pid 18405
[ 3205.064639] sshd[18405]: Starting session: shell on pts/15 for user from 127.0.0.1 port 36886 id 0

If you use the above and try from (unpatched)mc via cd sftp://user@127.0.0.1
you see dmesg:

[ 3138.811924] sshd[18059]: Received disconnect from 127.0.0.1 port 36884:11: Normal Shutdown [preauth]
[ 3138.812505] sshd[18059]: Disconnected from authenticating user user 127.0.0.1 port 36884 [preauth]

[howaboutsynergy]

ok according to commit 3e08cc722680bba3e3dc65541377ce033efeec45
Date: Wed Aug 17 13:54:08 2016 +0300

super_data->session should be sftpfs_super->session

-    userauthlist = libssh2_userauth_list (super_data->session, super->path_element->user,
+    userauthlist = libssh2_userauth_list (sftpfs_super->session, super->path_element->user,
                                           strlen (super->path_element->user));

[howaboutsynergy]

up to date patch (confirmed working)

[howaboutsynergy]

sshd server config used to test

[andrew_b]

I'm trying to use the following minimalistic sshd_config:

Port 22
AddressFamily inet
ListenAddress 127.0.0.1
Protocol 2
PermitRootLogin no
AuthenticationMethods keyboard-interactive
PasswordAuthentication no
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
UsePAM no
LogLevel VERBOSE
StrictModes yes
MaxAuthTries 5
Subsystem sftp /usr/lib/openssh/sftp-server

No success.

I cannot login in shell:

$ ssh -v 127.0.0.1
OpenSSH_7.2p2, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /home/andrew/.ssh/config
debug1: Reading configuration data /etc/openssh/ssh_config
debug1: /etc/openssh/ssh_config line 20: Applying options for *
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/andrew/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 127.0.0.1:22 as 'andrew'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:FzqKTNTroFuNUj0wUzSeV2x/1lpcESnT0ZRCmq5H6o8
debug1: Host '127.0.0.1' is known and matches the ED25519 host key.
debug1: Found key in /home/andrew/.ssh/known_hosts:22
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: keyboard-interactive
debug1: No more authentication methods to try.
ssh: Permission denied (keyboard-interactive).

I do "SFTP link..." to "​sftp://127.0.0.1/home/andrew". In both mcs (non-patched and patched) result the same: password is being asked, then "Cannot chdir to "/​sftp://127.0.0.1/home/andrew".

[howaboutsynergy]

Replying to andrew_b:

I'm trying to use the following minimalistic sshd_config:

Port 22
AddressFamily inet
ListenAddress 127.0.0.1
Protocol 2
PermitRootLogin no
AuthenticationMethods keyboard-interactive
PasswordAuthentication no
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
UsePAM no

all you need here is:
UsePAM yes

LogLevel VERBOSE
StrictModes yes
MaxAuthTries 5
Subsystem sftp /usr/lib/openssh/sftp-server

No success.

I cannot login in shell:

$ ssh -v 127.0.0.1

and this will work!

I do "SFTP link..." to "​sftp://127.0.0.1/home/andrew". In both mcs (non-patched and patched) result the same: password is being asked, then "Cannot chdir to "/​sftp://127.0.0.1/home/andrew".

however for some reason, for me just now, mc got ​stuck, in
29 return SYSCALL_CANCEL (poll, fds, nfds, timeout);
but I believe this is a temporary issue that happens sometimes with this glibc that I'm using: local/glibc 2.29.9000.r381.g30ba0375464-1

Ok I figured out why it got hung: it's because I used your config's
Subsystem sftp /usr/lib/openssh/sftp-server but that file doesn't exist for me in ArchLinux?, so if I use Subsystem sftp /usr/lib/ssh/sftp-server then mc doesn't hang in SYSCALL_CANCEL as I mentioned above!

PS: For mc to can ​sftp:// , you also need HostKey /etc/ssh/ssh_host_rsa_key in sshd_config or else you get something about no matching key on dmesg.

[andrew_b]

Branch: 3921_sftpfs_keyboard_interactive_auth
changeset:3dbf177ee2ff0be0c2d13ae06f0a99f8e7dcd4df

[andrew_b]

Merged to master: [bc91c2d1d1c74c025c7bba6f74d0af55b4047a66].