sftp - Received message too long

[marji]

I noticed sftp to the bastion container (with google authenticator selected as the MFA) does not work:

Provision a fresh bastion instance:

$ docker run -it -p 1234:22 \
     -e MFA_PROVIDER=google-authenticator \
     -v ~/.ssh/authorized_keys:/root/.ssh/authorized_keys
     cloudposse/bastion:latest

Initialise with the first login.
Then ssh into the container again, works fine:

$ ssh root@localhost -p 1234
Verification code: 

WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored for any reason.

3ee8753d97ea [~]#

But SFTP stops with an error:

$ sftp -P 1234 root@localhost
Verification code: 
Received message too long 1296449824

I'm not sure where to look. Perhaps the sshd config? If you give me a little hint, I'm happy to debug more.

[marji]

@osterman IMHO, this issue is not a question as you labelled it, but rather a "bug" - easy to replicate, as per my instructions above.

[osterman]

@marji I suspect it could be related to the motd message. Since scp is a binary protocol, the output from the motd could be messing with it. Can you try disabling that, or exploring that vane to see how far it gets you?

[osterman]

The motd I am referring to is:

WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your actions
may be monitored for any reason.

[osterman]

Btw, you're invited to join our slack team here: https://slack.cloudposse.com where you'll get direct access to me and the team.

[osterman]

On further reflection, this will not work with Google Authenticator. SFTP is a non-interactive protocol. It’s implemented on top of SSH. MFA prompts are not an official spec and there is no standard. Thus no standard way for clients to handle it. It you use more advanced client like like cyberduck, maybe it will work.

That said, SCP will work with non-interactive push notifications which is the way we used it. This is supported by duo. Duo is a much, much better approach. It also supports geofencing and a multitude of other security enhancements, plus the totp seed is not stored on the server. The totp seed will let anyone guess the sequence if compromised.

https://help.duo.com/s/article/2102?language=en_US

[osterman]

@marji I'm going to close this issue. Please re-open if you can find any new information that indicates Google Authenticator is compatible with scp.

[marji]

@osterman I tracked the problem with sftp not working with google-authenticator to this standard output terminal condition in /rootfs/usr/bin/setup-google-authenticator.

While debugging this, I realised this condition is also breaking execution of ssh connections with remote command specified:

ssh root@localhost -p 1234 'echo hello'
Verification code: 
MFA setup required

When I compile the docker image without this condition, my problem is gone, sftp works.
Could you please remove it or adjust it to let sftp and ssh with remote command pass through?

[osterman]

@marji - aha, I see! yes, this seems like it could be easily fixed.

[osterman]

@marji please give it another shot. We moved the conditional inside the block to check if it's been previously initialized. If you want to disable MFA altogether for scp, I don't recommend it - but if you want to open a PR for it, we can consider it.

[marji]

@osterman I'm happy to confirm the above change has fixed the problem.
I can now successfully sftp in and I can also execute a remote command via ssh - getting the "Verification code" prompt and when I answer it, I'm in.

Thank you guys for fixing this.

[osterman]

Thanks @marji for letting us know! Happy we got this working. =)