Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v8.2.0 breaks SFTP connection with RSA private key #12733

Closed
mariolopes opened this issue Dec 30, 2021 · 27 comments
Closed

v8.2.0 breaks SFTP connection with RSA private key #12733

mariolopes opened this issue Dec 30, 2021 · 27 comments
Labels
bug help wanted sftp SFTP Protocol Implementation
Milestone

Comments

@mariolopes
Copy link

mariolopes commented Dec 30, 2021

I've been using Cyberduck for a while for connecting to an SFTP server (GoAnywhere MFT SFTP Server). Since I upgraded to version 8.2.0 I'm unable to authenticate using an RSA private key file. Downgrading to v8.1.1 fixes it.

@dkocher dkocher added bug sftp SFTP Protocol Implementation labels Dec 30, 2021
@dkocher
Copy link
Contributor

dkocher commented Dec 30, 2021

Also reported in #12720.

@ylangisc
Copy link
Contributor

ylangisc commented Dec 30, 2021

Tried with 2048 and 4096 bits RSA keys but was unable to reproduce the issue. Can you please post a debug log from an authentication attempt? Refer to https://docs.cyberduck.io/cyberduck/support/?highlight=debug#logging-output

@mariolopes
Copy link
Author

mariolopes commented Dec 30, 2021

Here's the log. I've changed the original hostname. Everything else was left untouched.
cyberduck.log

@dkocher
Copy link
Contributor

dkocher commented Dec 30, 2021

Relevant login attempts using different authentication methods.

2021-12-30 15:05:36,158 [Thread-77] DEBUG ch.cyberduck.core.sftp.SFTPSession - Attempt login with 4 authentication methods [ch.cyberduck.core.sftp.auth.SFTPAgentAuthentication@4a21723, ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication@4cef7bd6, ch.cyberduck.core.sftp.auth.SFTPChallengeResponseAuthentication@245371f3, ch.cyberduck.core.sftp.auth.SFTPPasswordAuthentication@48f347f2]
2021-12-30 15:05:36,158 [Thread-77] DEBUG ch.cyberduck.core.sftp.SFTPSession - Remaining authentication methods [password, publickey, keyboard-interactive]
2021-12-30 15:05:36,158 [Thread-77] INFO  ch.cyberduck.core.sftp.SFTPSession - Attempt authentication with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPAgentAuthentication@4a21723
2021-12-30 15:05:36,158 [Thread-77] DEBUG ch.cyberduck.core.sftp.auth.SFTPAgentAuthentication - Login using agent OpenSSHAgentAuthenticator{proxy=com.jcraft.jsch.agentproxy.AgentProxy@5cfc4ac0} for Host{protocol=Profile{parent=sftp, vendor=iterate GmbH, description=null, image=null}, port=16119, hostname='sftp.hostnameremovedsorry.com', credentials=Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}}, uuid='86c2a57b-a621-4622-900f-9ecdbe319386', nickname='OCP', defaultpath='null', workdir=null, labels=[]}
2021-12-30 15:05:36,158 [Thread-77] DEBUG ch.cyberduck.core.sftp.openssh.OpenSSHAgentAuthenticator - Retrieve identities from proxy com.jcraft.jsch.agentproxy.AgentProxy@5cfc4ac0
2021-12-30 15:05:36,159 [Thread-77] DEBUG ch.cyberduck.core.sftp.openssh.OpenSSHAgentAuthenticator - Found 0 identities
2021-12-30 15:05:36,159 [Thread-77] WARN  ch.cyberduck.core.sftp.SFTPSession - Login refused with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPAgentAuthentication@4a21723
2021-12-30 15:05:36,159 [Thread-77] DEBUG ch.cyberduck.core.sftp.SFTPSession - Remaining authentication methods [password, publickey, keyboard-interactive]
2021-12-30 15:05:36,159 [Thread-77] INFO  ch.cyberduck.core.sftp.SFTPSession - Attempt authentication with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication@4cef7bd6
2021-12-30 15:05:36,159 [Thread-77] DEBUG ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication - Login using public key authentication with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}}
2021-12-30 15:05:36,159 [Thread-77] INFO  ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication - Reading private key Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'} with key format OpenSSH
2021-12-30 15:05:36,160 [Thread-77] DEBUG net.schmizz.concurrent.Promise - Setting <<authenticated>> to `null`
2021-12-30 15:05:36,160 [Thread-77] DEBUG net.schmizz.sshj.userauth.UserAuthImpl - Trying `publickey` auth...
2021-12-30 15:05:36,160 [Thread-77] DEBUG net.schmizz.sshj.userauth.method.AuthPublickey - Attempting authentication using PKCS8KeyFile{resource=[PrivateKeyReaderResource] java.io.InputStreamReader@6b7aab42}
2021-12-30 15:05:36,161 [Thread-77] DEBUG net.schmizz.concurrent.Promise - Awaiting <<authenticated>>
2021-12-30 15:05:36,244 [reader] DEBUG net.schmizz.concurrent.Promise - Setting <<authenticated>> to `false`
2021-12-30 15:05:36,244 [Thread-77] DEBUG net.schmizz.sshj.userauth.UserAuthImpl - `publickey` auth failed
2021-12-30 15:05:36,244 [Thread-77] WARN  ch.cyberduck.core.sftp.SFTPSession - Login failed with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPPublicKeyAuthentication@4cef7bd6
2021-12-30 15:05:36,244 [Thread-77] DEBUG ch.cyberduck.core.sftp.SFTPSession - Remaining authentication methods [password, publickey, keyboard-interactive]
2021-12-30 15:05:36,245 [Thread-77] INFO  ch.cyberduck.core.sftp.SFTPSession - Attempt authentication with credentials Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}} and authentication method ch.cyberduck.core.sftp.auth.SFTPChallengeResponseAuthentication@245371f3
2021-12-30 15:05:36,245 [Thread-77] DEBUG ch.cyberduck.core.sftp.auth.SFTPChallengeResponseAuthentication - Login using challenge response authentication for Host{protocol=Profile{parent=sftp, vendor=iterate GmbH, description=null, image=null}, port=16119, hostname='sftp.hostnameremovedsorry.com', credentials=Credentials{user='inesctec', oauth='OAuthTokens{accessToken='null', refreshToken='', expiryInMilliseconds=9223372036854775807}', token='', identity=Local{path='/Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk'}}, uuid='86c2a57b-a621-4622-900f-9ecdbe319386', nickname='OCP', defaultpath='null', workdir=null, labels=[]}
2021-12-30 15:05:36,245 [Thread-77] DEBUG net.schmizz.concurrent.Promise - Setting <<authenticated>> to `null`
2021-12-30 15:05:36,245 [Thread-77] DEBUG net.schmizz.sshj.userauth.UserAuthImpl - Trying `keyboard-interactive` auth...
2021-12-30 15:05:36,246 [Thread-77] DEBUG net.schmizz.concurrent.Promise - Awaiting <<authenticated>>
2021-12-30 15:05:36,287 [reader] DEBUG net.schmizz.sshj.userauth.UserAuthImpl - Asking `keyboard-interactive` method to handle USERAUTH_60 packet
2021-12-30 15:05:36,287 [reader] DEBUG net.schmizz.sshj.userauth.method.AuthKeyboardInteractive - Requesting response for challenge `Password:`; echo=false
2021-12-30 15:05:36,287 [reader] DEBUG ch.cyberduck.core.sftp.auth.SFTPChallengeResponseAuthentication - Reply to challenge name password with instruction Enter password for inesctec
2021-12-30 15:05:36,287 [reader] DEBUG ch.cyberduck.ui.cocoa.callback.PromptLoginCallback - Prompt for credentials for inesctec

It shows the server is not accepting the key /Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk.

@mariolopes
Copy link
Author

mariolopes commented Dec 30, 2021

I'm using the exact same key with version 8.1.2 and it's working fine.

@ylangisc
Copy link
Contributor

ylangisc commented Dec 31, 2021

Thanks @mariolopes. Can you please share the fingerprint of your private key? That would give me information about the type and size of the key.

ssh-keygen -l -f /Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk

@mariolopes
Copy link
Author

mariolopes commented Dec 31, 2021

Weird. It says it's not a key file. Anyway, here's the fingerprint that's on the file header. I thought it was an RSA key but I was wrong. It's a AES-128 key.

-----BEGIN RSA PRIVATE KEY-----
x-Generator: GoAnywhere 6.0.1
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,05f8fcdc2efeb47ed5dd5130500462e9

@alturic
Copy link

alturic commented Dec 31, 2021

Same issue, AES256 here though.

Downgraded back to 8.0.0, works flawlessly.

@ylangisc
Copy link
Contributor

ylangisc commented Jan 3, 2022

@mariolopes You have an RSA private key encrypted with AES-128-CBC. Tried with an encrypted private key too but was still able to properly connect.

Also tried to restrict the used algorithms on the server side to the ones I see in your log.
Negotiated algorithms: [ kex=diffie-hellman-group-exchange-sha256; sig=ssh-rsa; c2sCipher=aes128-cbc; s2cCipher=aes128-cbc; c2sMAC=hmac-sha1; s2cMAC=hmac-sha1; c2sComp=zlib@openssh.com; s2cComp=zlib@openssh.com; ]

Still no luck but I suspect that the change of the signature algorithm priority in the sshj library could be the reason. Refer to iterate-ch/sshj@624747c

Can you please try to connect in debug mode from the command line and post the output? That would let me see the supported algorithms of your server and if we choose an unsupported one.

ssh -i /Users/mal/webapps.nosync/ocp/intellAPI/drive_settings/INESCTEC.pvk [HOSTNAME] -vv

I'm especially interested in the following two lines:

debug2: KEX algorithms: ...
debug2: host key algorithms: ...

@mariolopes
Copy link
Author

mariolopes commented Jan 3, 2022

Here you go:

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

By the way, I have two VPS machines running Ubuntu Focal and we're using an scp wrapper for Python (paramiko). In one of the machines I'm still able to connect. In the other I get the same error (Authentication failed) as with Cyberduck 8.2.0. They're running the exact same versions of openssh-client.

@ylangisc
Copy link
Contributor

ylangisc commented Jan 3, 2022

@mariolopes What version of Paramiko are you running? You might hit paramiko/paramiko#1955. It would be helpful to post the output as shown in the issue above when trying to connect with Cyberduck 8.2.0.

@mariolopes
Copy link
Author

mariolopes commented Jan 3, 2022

Weird. In the VPS that's still connecting to the SFTP server we're running Paramiko 2.8.1 (older Docker image). In the version that's not connecting, it was upgraded to 2.9.1. There must have been some recent change in the ssh that's breaking the authentication with older SFTP servers.

@ylangisc
Copy link
Contributor

ylangisc commented Jan 3, 2022

For me it looks like paramiko/paramiko#1955 is partially fixed only, i.e. for rsa-sha2-256 but not for ssh-rsa public key algorithm. As mentioned could you please post the Paramiko 2.9.1 debug output when trying to connect from Cyberduck 8.2.0?

@ylangisc
Copy link
Contributor

ylangisc commented Jan 3, 2022

Another thing I have noticed from your initial Cyberduck log file provided is that you run GoAnywhere 6.0.1 but your debug2 output shows rsa-sha2-* algorithms which are supported as of version 6.5.0 only. Refer to https://www.goanywhere.com/support/release-notes/mft?page=17

@mariolopes
Copy link
Author

mariolopes commented Jan 3, 2022

Here it goes:

DEBUG:paramiko.transport:userauth is OK
DEBUG:paramiko.transport:Finalizing pubkey algorithm for key of type 'ssh-rsa'
DEBUG:paramiko.transport:Our pubkey algorithm list: ['rsa-sha2-512', 'rsa-sha2-256', 'ssh-rsa']
DEBUG:paramiko.transport:Server-side algorithm list: ['']
DEBUG:paramiko.transport:Agreed upon 'rsa-sha2-512' pubkey algorithm
INFO:paramiko.transport:Auth banner: b'Welcome! Please login.\n'
INFO:paramiko.transport:Authentication (publickey) failed.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.8/site-packages/paramiko/transport.py", line 1634, in auth_publickey
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.8/site-packages/paramiko/auth_handler.py", line 258, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

@mariolopes
Copy link
Author

mariolopes commented Jan 3, 2022

Another thing I have noticed from your initial Cyberduck log file provided is that you run GoAnywhere 6.0.1 but your debug2 output shows rsa-sha2-* algorithms which are supported as of version 6.5.0 only. Refer to https://www.goanywhere.com/support/release-notes/mft?page=17

That's weird. Anyway, the server is not managed by us. I'll contact the host and let him know that. Thanks.

@tdmayden
Copy link

tdmayden commented Jan 5, 2022

I have the same problem here, Cyberduck Version 8.1.1 connects to a CentOS 6 server via SSH just fine, but Cyberduck 8.2.0 fails to connect and /var/log/secure on the server reports userauth_pubkey: unsupported public key algorithm: rsa-sha2-512 - Cyberduck must be sending the wrong key info when the connection is made somehow?

@ylangisc
Copy link
Contributor

ylangisc commented Jan 5, 2022

@tdmayden Any chance to also post the two debug2 lines described above when connecting from the command line?

ssh -i [KEYFILE] [HOSTNAME] -vv

@tdmayden
Copy link

tdmayden commented Jan 5, 2022

@ylangisc there are two lines of each in that output, all pasted here:

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c

debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

and

debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com

debug2: host key algorithms: ssh-rsa,ssh-dss

@ylangisc
Copy link
Contributor

ylangisc commented Jan 7, 2022

Can you please confirm that the latest snapshot version fixes the issue?

@tdmayden
Copy link

tdmayden commented Jan 7, 2022

@ylangisc i would be happy to do that, how do i go about getting a snapshot version?

@ylangisc
Copy link
Contributor

ylangisc commented Jan 7, 2022

You need to switch to the Snapshot feed in the Preferences and then update. Also refer to https://docs.cyberduck.io/cyberduck/preferences/#update.

@tdmayden
Copy link

tdmayden commented Jan 7, 2022

@ylangisc thanks so much - i can confirm that with 8.2.1 via snapshot feed, i can now connect to the machines that i previously could not connect to. thanks so much! 👍

@ylangisc
Copy link
Contributor

ylangisc commented Jan 7, 2022

Thanks for confirming. A new release will be available next week.

@schveiguy
Copy link

schveiguy commented Jan 7, 2022

Even though my issue #12720 was closed without resolution, I can confirm that this snapshot build works for my case too.

Thanks!

@mariolopes
Copy link
Author

mariolopes commented Jan 8, 2022

It also works for me! Thank you very much, @ylangisc. What was the issue, by the way? What's the commit hash that fixes this?

@dkocher
Copy link
Contributor

dkocher commented Jan 8, 2022

It also works for me! Thank you very much, @ylangisc. What was the issue, by the way? What's the commit hash that fixes this?

This was resolved upstream with iterate-ch/sshj@f1928dd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug help wanted sftp SFTP Protocol Implementation
Projects
None yet
Development

No branches or pull requests

6 participants