Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to connect via SFTP #13442

Closed
mathio opened this issue Jun 7, 2022 · 18 comments · Fixed by #13700
Closed

Unable to connect via SFTP #13442

mathio opened this issue Jun 7, 2022 · 18 comments · Fixed by #13700
Assignees
Labels
help wanted sftp SFTP Protocol Implementation
Milestone

Comments

@mathio
Copy link

mathio commented Jun 7, 2022

Describe the bug

Connecting via SFTP with password authentication fails. Cyberduck tries to authenticate via public key.
This is happening for Cyberduck version 8+. The issue is not present in Cyberduck 7.10.2.

To Reproduce

  1. Create new SFTP connection bookmark
  2. Setup authentication via password
  3. Set SSH Private Key as "None"
  4. Double click the bookmark to connect
  5. The connection attempt is rejected, UI shows an error message:

Connection failed
Application error. The connection attempt was rejected. The server may be down, or your network may not be properly configured.

Expected behavior
Connection should not fail.
I was told by my hosting provider the client is trying to connect using public key however it is configured to use password instead. Cyberduck should authenticate using password.

Screenshots
Screenshot 2022-06-08 at 00 31 11

Desktop:

  • OS: macOS Catalina 10.15.7
  • Version 8.3.3 (also tried with versions 8.2.3 and 8.0.0)

Log Files
Note: The domain was replaced with example.com in all logs.

Related Cyberduck log:

2022-06-08 00:16:40,223 [sshj-Reader-example.com/37.9.175.156:22] DEBUG net.schmizz.sshj.transport.kex.Curve25519SHA256 - Sending SSH_MSG_KEXDH_INIT
2022-06-08 00:16:40,244 [sshj-Reader-example.com/37.9.175.156:22] INFO  net.schmizz.sshj.transport.TransportImpl - Received SSH_MSG_DISCONNECT (reason=BY_APPLICATION, msg=Application error)
2022-06-08 00:16:40,244 [sshj-Reader-example.com/37.9.175.156:22] ERROR net.schmizz.sshj.transport.TransportImpl - Dying because - Application error
net.schmizz.sshj.transport.TransportException: Application error
	at net.schmizz.sshj.transport.TransportImpl.gotDisconnect(TransportImpl.java:533) ~[sshj-0.33.0.jar:?]
	at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:489) ~[sshj-0.33.0.jar:?]
	at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:113) ~[sshj-0.33.0.jar:?]
	at net.schmizz.sshj.transport.Decoder.received(Decoder.java:200) ~[sshj-0.33.0.jar:?]
	at net.schmizz.sshj.transport.Reader.run(Reader.java:60) ~[sshj-0.33.0.jar:?]

Full log here: cyberduck.log

Related log from hosting provider:

USER [example.com](http://example.com/) (Login failed): authentication via 'ssh-rsa' public key failed

Additional context
I can connect via sftp command line without any issues, therefore I can rule out general network issues.

Workaround
Downgrading all the way down to Cyberduck version 7.10.2 works fine.

@dkocher dkocher added the sftp SFTP Protocol Implementation label Jun 14, 2022
@wtw
Copy link

wtw commented Jun 20, 2022

I too am experiencing this issue. The log (on my side) does not add anything useful, I am getting „Too many authentication failures“ right now. Don't have any info from the server side.

Additional context
I can connect via ssh without any issues.

Workaround
For me 8.3.0, 8.3.1, 8.3.2 are working fine, 8.3.3 is showing said error. So the cause seems to be something added in that version. Might relate to 63d1d6c?

@Rizzle93
Copy link

I am also seeing this on Cyberduck version 8.3.3: getting the 'Too many authentication failures' with existing saved configs and with newly created configs (all using password auth). I've just downgraded to version 8.3.2, and password auth seems to be working for that version

@geroembser
Copy link

I also started to have connection issues with version 8.3.3. Downgrading to version 8.3.2 makes everything work again. I've noticed, however, that I can solve the problem in 8.3.3 by deleting the keys from my ssh-agent with ssh-add -d -K. As soon as I'll add them again with something like ssh-add -K the SFTP-login with Cyberduck will no longer work in 8.3.3 (but it does in 8.3.2!). Maybe this information will help someone, so I share it here....

@ylangisc
Copy link
Contributor

@mathio Thanks for the logfile which does not give too much insight why the auth process fails. Any chance to post a logfile generated with version 7.10.2?

@ylangisc
Copy link
Contributor

@wtw @Rizzle93 @geroembser Can you please provide a debug log of a failing connection attempt with version 8.3.3?

@wtw
Copy link

wtw commented Jun 28, 2022

@ylangisc Debug log for 8.3.3 is attached, it should include everything around the failed attempt. I anonymized all sensitive data and removed about 400 lines of „DEBUG net.schmizz.sshj.common.ECDSAVariationsAdapter - Key algo: ecdsa-sha2-nistp256, Key curve:“ messages. Mind that this is a bookmark that works with version 8.3.2 without any changes, so the connection details are valid. Same problem persists in version 8.4.0.

As @mathio mentioned there are failing authentication attempts with different keypairs. After these failing authentication attempts some background task returns null, which causes an exception. Authentication method password is never tried, only none and publickey are mentioned in the log. I compared the log briefly with the log from 8.3.2 and only in 8.3.3 I get this error:
2022-06-28 15:36:14,545 [sshj-Reader-XXXSERVERNAMEXXX/XXXIPADDRESSXXX:22] ERROR net.schmizz.sshj.transport.TransportImpl - Dying because - Too many authentication failures, although the same SSH connection attempts should fail in 8.3.2 as well. Can it be that the code is not prepared for such an error and bails out before trying password authentication? Also the sshj dependency was updated between 8.3.2 (0.32.4) and 8.3.3 (0.33.0). Hope any of this guesswork helps. :)

cyberduck-connection.log

@ylangisc
Copy link
Contributor

Thanks @wtw for the log. I can see that password auth would also be tried if all other options do not work but it looks like your server has set MaxAuthTries to 2 which makes the subsequent auth attempts fail. Any chance to also post a log of an auth attempt with version 8.3.2? Still not sure why the order of auth methods has changed.

@wtw
Copy link

wtw commented Jun 29, 2022

Sure, it seems that the order of auth methods is the same, but not only two of my keys are used, but all four of them. There is no error after two attempts. It is the same bookmark/server and I can switch from 8.3.2 (works) to 8.3.3 (too many attempts) and back at will. After all keys failed, password auth is tried and succeeds.

cyberduck-connection-8.3.2.log

@vzz3
Copy link

vzz3 commented Aug 8, 2022

I have the same Problem "Too many authentication failures. Please contact your web hosting service provider for assistance." with version 8.4.2 on MacOS 11.6 (20G165). However, I need a key for the authentication and not a password. The correct key is selected in the connection settings and no password is in the password input field. After a downgrade to 8.3.2 it works as expected. Thanks to @wtw for posting the last working version numbers.

@asmaloney
Copy link

asmaloney commented Aug 30, 2022

Just another "me too" - using a private key & no password on macOS 12.5.1.

I can ssh on the command line fine & I can access using FileZilla fine, but CyberDuck 8.4.3 fails with "Too many authentication failures."

It works if I use version 8.3.2 without changing anything else (thanks @wtw!)

(Edit: Clarify version.)

dkocher added a commit that referenced this issue Aug 31, 2022
Prioritise password authentication if one is set.
@ylangisc
Copy link
Contributor

ylangisc commented Sep 1, 2022

The latest snapshot version contains a fix for authentication with password.

@mathio
Copy link
Author

mathio commented Sep 21, 2022

Where can I find the latest snapshot please? The link on the website does not work (https://docs.cyberduck.io/dirhtml/cyberduck/preferences/#Update) and I could not find anything on Github. It is not fixed in latest stable release.

@wtw
Copy link

wtw commented Sep 21, 2022

Where can I find the latest snapshot please? The link on the website does not work (https://docs.cyberduck.io/dirhtml/cyberduck/preferences/#Update) and I could not find anything on Github. It is not fixed in latest stable release.

This issue seems to be fixed in version 8.4.4 (just upgraded and connects successfully): https://cyberduck.io/download/.

@dkocher dkocher added this to the 8.4.4 milestone Sep 21, 2022
@AndreVirtimo
Copy link

I also can confirm that the bug is fixed with version 8.4.4.

@mathio
Copy link
Author

mathio commented Sep 21, 2022

I downloaded the 8.4.4 version. I kept it in ~/Downloads, not to override the version 7 that is in /Applications. Version 8 opened and displayed my bookmarks from version 7. I tried to connect but it failed. The error in log seems to be the same as in my first comment:

net.schmizz.sshj.transport.kex.Curve25519SHA256 - Sending SSH_MSG_KEXDH_INIT
2022-09-21 14:17:11,834 [sshj-Reader-example.com/37.9.175.156:22] INFO  net.schmizz.sshj.transport.TransportImpl - Received SSH_MSG_DISCONNECT (reason=BY_APPLICATION, msg=Application error)
2022-09-21 14:17:11,834 [sshj-Reader-example.com/37.9.175.156:22] ERROR net.schmizz.sshj.transport.TransportImpl - Dying because - Application error
net.schmizz.sshj.transport.TransportException: Application error
	at net.schmizz.sshj.transport.TransportImpl.gotDisconnect(TransportImpl.java:533) ~[sshj-0.34.0.jar:?]
	at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:489) ~[sshj-0.34.0.jar:?]
	at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:113) ~[sshj-0.34.0.jar:?]
	at net.schmizz.sshj.transport.Decoder.received(Decoder.java:200) ~[sshj-0.34.0.jar:?]
	at net.schmizz.sshj.transport.Reader.run(Reader.java:60) ~[sshj-0.34.0.jar:?]
2022-09-21 14:17:11,834 [sshj-Reader-example.com/37.9.175.156:22] WARN  ch.cyberduck.core.sftp.SFTPSession - Disconnected BY_APPLICATION

Full log: cyberduck-8-4-4.log

When I connect with Cyberduck 7.10.2 it works.

2022-09-21 14:20:12,127 [reader] DEBUG net.schmizz.sshj.transport.kex.Curve25519SHA256 - Sending SSH_MSG_KEXDH_INIT
2022-09-21 14:20:12,141 [reader] DEBUG net.schmizz.sshj.transport.KeyExchanger - Received kex followup data
2022-09-21 14:20:12,141 [reader] DEBUG net.schmizz.sshj.transport.kex.Curve25519SHA256 - Received SSH_MSG_KEXDH_REPLY
2022-09-21 14:20:12,154 [reader] DEBUG net.schmizz.sshj.transport.KeyExchanger - Trying to verify host key with ch.cyberduck.core.sftp.SFTPSession$1@313cda71
2022-09-21 14:20:12,159 [reader] DEBUG net.schmizz.sshj.transport.KeyExchanger - Sending SSH_MSG_NEWKEYS
2022-09-21 14:20:12,160 [reader] DEBUG net.schmizz.sshj.transport.KeyExchanger - Received SSH_MSG_NEWKEYS
2022-09-21 14:20:12,172 [reader] DEBUG net.schmizz.concurrent.Promise - Setting <<kexinit sent>> to `null`
2022-09-21 14:20:12,172 [reader] DEBUG net.schmizz.concurrent.Promise - Setting <<kex done>> to `SOME`
2022-09-21 14:20:12,172 [Thread-31] DEBUG net.schmizz.sshj.SSHClient - Key exchange took 0.06 seconds
2022-09-21 14:20:12,173 [Thread-31] DEBUG ch.cyberduck.core.Session - Connection did open to Host{protocol=Profile{parent=sftp, vendor=iterate GmbH, description=null, image=null}, port=22, hostname='example.com', credentials=Credentials{user='example.com', oauth='Tokens{accessToken='null', refreshToken='null'}', token='', identity=null}, uuid='2af3be97-f111-4b9d-b7b7-06e067b255fe', nickname='null', defaultpath='null', workdir=null, labels=[]}

Full log: cyberduck-7-10-2.log

@wtw
Copy link

wtw commented Sep 21, 2022

Might be a different error and/or root cause. Luckily, my issue got solved, so I can't provide more help or input here, sorry.

@Muutu
Copy link

Muutu commented May 22, 2023

We are encountering the same issue with 8.5.10 (39764). Cyberduck refuses to connect to our newest web hosting server. Works perfectly well with the older servers.

Server is running Ubuntu 22.04 with ProFTPD.

Downgrading Cyberduck didn't help. Went all the way to 7.10.

@ylangisc
Copy link
Contributor

@Muutu This issue is closed. Refer to proftpd/proftpd#1595.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted sftp SFTP Protocol Implementation
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants