Ticket #3921 (closed defect: fixed)
support sftp keyborad interactive authentication
Reported by: | adamm | Owned by: | andrew_b |
---|---|---|---|
Priority: | major | Milestone: | 4.8.24 |
Component: | mc-vfs | Version: | master |
Keywords: | Cc: | howaboutsynergy@…, andrew_b, info@… | |
Blocked By: | Blocking: | ||
Branch state: | merged | Votes for changeset: | committed-master |
Description
When SSH server has cleartext password authentication disabled and only "keyboard-interactive" authentication enabled, then connection will fail. This happens with following sshd_config parameter,
And you can see these authentication methods with ssh -v hostname
libssh2_userauth_password only allows for Passoword authentication
libssh2_userauth_keyboard_interactive needs to be used for keyboard interactive authentication.
Attachments
Change History
comment:3 Changed 5 years ago by Vampik
The patch needs to be corrected for 4.8.23. super_data was renamed to sftpfs_super.
comment:4 Changed 5 years ago by zaytsev
- Cc andrew_b added
Hi Andrew, the patch actually doesn't look too bad, does it? I think the same works for FISH already, so maybe we could take it... What do you think?
comment:5 follow-up: ↓ 6 Changed 5 years ago by andrew_b
How can I test this patch?
What options in sshd_config should I on/off to test this patch?
comment:6 in reply to: ↑ 5 Changed 5 years ago by Vampik
Replying to andrew_b:
How can I test this patch?
What options in sshd_config should I on/off to test this patch?
You should set
PasswordAuthentication no
in sshd_config. After that you will not be able to login without this patch.
comment:7 Changed 5 years ago by Vampik
BTW this is the default setting in Gentoo based distros. I wasn't able to use sftp in mc for a long time until I found this issue.
comment:8 Changed 5 years ago by howaboutsynergy
can't compile with patch
make[4]: Entering directory '/home/user/build/1packages/4used/mc-git/makepkg_pacman/mc/src/mc/src/vfs/sftpfs' CC connection.lo CC config_parser.lo CC init.lo CC dir.lo CC file.lo CC internal.lo CC vfs_class.lo CC vfs_subclass.lo In file included from connection.c:37: connection.c: In function ‘sftpfs_open_connection_ssh_password’: connection.c:375:56: error: ‘super_data’ undeclared (first use in this function) 375 | libssh2_userauth_keyboard_interactive (super_data->session, | ^~~~~~~~~~ connection.c:375:56: note: each undeclared identifier is reported only once for each function it appears in make[4]: *** [Makefile:566: connection.lo] Error 1 make[4]: *** Waiting for unfinished jobs....
tested on:
commit 2dc676eeea612cb970163e2814a1ec4ec26a6cf4 (HEAD -> makepkg, origin/master, origin/HEAD)
Date: Sat Jul 13 08:58:52 2019 +0300
What's the value of AuthenticationMethods in /etc/ssh/sshd_config ?
comment:9 Changed 5 years ago by howaboutsynergy
For ssh -v hostname to work here's what you need(also added some stuff for 'mc' sftp to not fail for other reasons unrelated to this very issue):
Ciphers aes256-ctr AuthenticationMethods keyboard-interactive:pam PasswordAuthentication no KbdInteractiveAuthentication yes ChallengeResponseAuthentication yes UsePAM yes MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 HostKey /etc/ssh/ssh_host_rsa_key LogLevel VERBOSE LoginGraceTime 30s PermitRootLogin yes StrictModes yes MaxAuthTries 5
(in /etc/ssh/sshd_config)
Should see it work like this:
$ ssh -v 127.0.0.1 ... debug1: Authentications that can continue: keyboard-interactive debug1: Next authentication method: keyboard-interactive Password: debug1: Authentication succeeded (keyboard-interactive). Authenticated to 127.0.0.1 ([127.0.0.1]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Last login: Thu Jul 18 02:22:19 2019 from 127.0.0.1
on dmesg:
[ 3200.868402] sshd[18377]: Postponed keyboard-interactive for user from 127.0.0.1 port 36886 ssh2 [preauth] [ 3205.053219] sshd[18377]: Postponed keyboard-interactive/pam for user from 127.0.0.1 port 36886 ssh2 [preauth] [ 3205.053579] sshd[18377]: Accepted keyboard-interactive/pam for user from 127.0.0.1 port 36886 ssh2 [ 3205.054218] sshd[18377]: pam_unix(sshd:session): session opened for user user by (uid=0) [ 3205.056994] systemd-logind[649]: New session 4 of user user. [ 3205.057667] systemd[1]: Started Session 4 of user user. [ 3205.061256] sshd[18377]: User child is on pid 18405 [ 3205.064639] sshd[18405]: Starting session: shell on pts/15 for user from 127.0.0.1 port 36886 id 0
If you use the above and try from (unpatched)mc via cd sftp://user@127.0.0.1
you see dmesg:
[ 3138.811924] sshd[18059]: Received disconnect from 127.0.0.1 port 36884:11: Normal Shutdown [preauth] [ 3138.812505] sshd[18059]: Disconnected from authenticating user user 127.0.0.1 port 36884 [preauth]
comment:10 Changed 5 years ago by howaboutsynergy
ok according to commit 3e08cc722680bba3e3dc65541377ce033efeec45
Date: Wed Aug 17 13:54:08 2016 +0300
super_data->session should be sftpfs_super->session
- userauthlist = libssh2_userauth_list (super_data->session, super->path_element->user, + userauthlist = libssh2_userauth_list (sftpfs_super->session, super->path_element->user, strlen (super->path_element->user));
Changed 5 years ago by howaboutsynergy
- Attachment sftp_ip.2.patch added
up to date patch (confirmed working)
Changed 5 years ago by howaboutsynergy
- Attachment sshd_config added
sshd server config used to test
comment:11 follow-up: ↓ 12 Changed 5 years ago by andrew_b
I'm trying to use the following minimalistic sshd_config:
Port 22 AddressFamily inet ListenAddress 127.0.0.1 Protocol 2 PermitRootLogin no AuthenticationMethods keyboard-interactive PasswordAuthentication no KbdInteractiveAuthentication yes ChallengeResponseAuthentication yes UsePAM no LogLevel VERBOSE StrictModes yes MaxAuthTries 5 Subsystem sftp /usr/lib/openssh/sftp-server
No success.
I cannot login in shell:
$ ssh -v 127.0.0.1 OpenSSH_7.2p2, OpenSSL 1.0.2n 7 Dec 2017 debug1: Reading configuration data /home/andrew/.ssh/config debug1: Reading configuration data /etc/openssh/ssh_config debug1: /etc/openssh/ssh_config line 20: Applying options for * debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22. debug1: Connection established. debug1: key_load_public: No such file or directory debug1: identity file /home/andrew/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/andrew/.ssh/id_ed25519-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/andrew/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/andrew/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/andrew/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/andrew/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/andrew/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/andrew/.ssh/id_dsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2 debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 127.0.0.1:22 as 'andrew' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ssh-ed25519 SHA256:FzqKTNTroFuNUj0wUzSeV2x/1lpcESnT0ZRCmq5H6o8 debug1: Host '127.0.0.1' is known and matches the ED25519 host key. debug1: Found key in /home/andrew/.ssh/known_hosts:22 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: keyboard-interactive debug1: Next authentication method: keyboard-interactive debug1: Authentications that can continue: keyboard-interactive debug1: No more authentication methods to try. ssh: Permission denied (keyboard-interactive).
I do "SFTP link..." to "sftp://127.0.0.1/home/andrew". In both mcs (non-patched and patched) result the same: password is being asked, then "Cannot chdir to "/sftp://127.0.0.1/home/andrew".
comment:12 in reply to: ↑ 11 Changed 5 years ago by howaboutsynergy
Replying to andrew_b:
I'm trying to use the following minimalistic sshd_config:
Port 22 AddressFamily inet ListenAddress 127.0.0.1 Protocol 2 PermitRootLogin no AuthenticationMethods keyboard-interactive PasswordAuthentication no KbdInteractiveAuthentication yes ChallengeResponseAuthentication yes UsePAM no
all you need here is:
UsePAM yes
LogLevel VERBOSE StrictModes yes MaxAuthTries 5 Subsystem sftp /usr/lib/openssh/sftp-serverNo success.
I cannot login in shell:
$ ssh -v 127.0.0.1
and this will work!
I do "SFTP link..." to "sftp://127.0.0.1/home/andrew". In both mcs (non-patched and patched) result the same: password is being asked, then "Cannot chdir to "/sftp://127.0.0.1/home/andrew".
however for some reason, for me just now, mc got stuck, in
29 return SYSCALL_CANCEL (poll, fds, nfds, timeout);
but I believe this is a temporary issue that happens sometimes with this glibc that I'm using: local/glibc 2.29.9000.r381.g30ba0375464-1
comment:13 Changed 5 years ago by andrew_b
- Owner set to andrew_b
- Status changed from new to accepted
- Branch state changed from no branch to on review
- Milestone changed from Future Releases to 4.8.24
Branch: 3921_sftpfs_keyboard_interactive_auth
changeset:3dbf177ee2ff0be0c2d13ae06f0a99f8e7dcd4df
comment:15 Changed 5 years ago by andrew_b
- Votes for changeset set to andrew_b
- Branch state changed from on review to approved
comment:16 Changed 5 years ago by andrew_b
- Status changed from accepted to testing
- Votes for changeset changed from andrew_b to committed-master
- Resolution set to fixed
- Branch state changed from approved to merged
Merged to master: [bc91c2d1d1c74c025c7bba6f74d0af55b4047a66].
Updated patch so it doesn't produce compile time warnings about unused parameters.