SFTP failing – due to using an outdated authentication algorithm or protocol?
-
March 2, 2022 at 7:22 pm #7003
[anonymous]
I’m trying to upload my site to my server using SFTP, but “An error occurred during connection to the server …”.
I am using key authentication. Looking at Publii logs, I can see authentication failing:
[Wed, 02 Mar 2022 18:07:23 GMT] ERR (1): Error: sftpConnect: All configured authentication methods failed
The server is running OpenBSD 7.0 and when Publii fails to synchronize, I can see the authlog as follows:
Mar 2 19:59:46 server sshd[45539]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Mar 2 19:59:46 server sshd[45539]: Received disconnect from x.x.x.x port 40580:11:[preauth]
I have double checked the settings and everything should be good.
When connecting from MacOS shell using sftp using the very same key, everything works as expected. In the server log I can see this instead:
Mar 2 20:00:54 server sshd[98980]: Accepted publickey for kb from x.x.x.x port 55401 ssh2: RSA SHA256:ZZ…
Is there any workaround or simple fix on the Publii client side for this?
Unfortunately changing the server configuration to allow old authentication mechanisms is not an option here.
March 8, 2022 at 12:11 pm #7027[anonymous]
Hi,
Nearest release – v.0.39 which is planned for the next week will contain bigger update of the SFTP dependency – I suppose that it can solve your issue. Temporary you can use manual deployment method: https://getpublii.com/docs/server-configuration.html#manual which is always a fallback for all issues with sync methods.
March 8, 2022 at 6:39 pm #7035[anonymous]
Thanks, looking forward to try it out. I found the tar archive output being pretty good workaround as well.
March 23, 2022 at 7:17 pm #7164[anonymous]
Unfortunately with Version: 0.39.1 (build 15483) the problem still persists.
Logs on the OpenBSD server still look the same when I press the “Test connection” -button on the server type configuration page.
Publii claims that “Application was able to connect with your server but was unable to store files…”, but based on the server log that is not true.
Using the exact same key file with MacOS ssh works fine and permissions on the target directory are fine for writing.
Please let me know if there’s anything I can do to help you troubleshoot and/or fix this. For myself, the tar workaround is fine, but non-technical users would benefit from a direct sftp upload for sure.
April 12, 2022 at 3:10 pm #7247[anonymous]
I have a similar issue with a server that has a very old ssh/sftp server. It seems that Publii has changed something in the sftp protocol/library between version 0.35.3 and 0.39.1. In the older version the sftp connection works, in the newer it doesn’t. The “Test connection” gives the following Error message:
Error! Application was able to connect with your server but was unable to store files. Please check file permissions on your server.
Using scp e.g. from Mobaxterm, the connection works fine. Looking at the sshd logs on the server it says:
fatal: no kex alg
It seems that Publii 0.39.1 is more restrictive in the KexAlgorithms allowed. It should allow older kex algorithms like “diffie-hellman-group-exchange-sha1”. Could you check what has been changed and if this can be reverted? Thanks.
April 19, 2022 at 5:21 pm #7312[anonymous]
Hi,
I have always test the SFTP deployment with my VPS using my keys and it works. I suppose that this problem is related to the ssh2 library which is used in our SFTP deployment method. I do not see errors relatd to `no kex alg` and I suppose that we will be unable to fix this problem as it is an issue with dependency. So I suppose that always there will be small subset of servers where SFTP deployment method won’t work due a big amount of possible configurations.
That’s why we have prepared the manual deployment solution. Also in the future we will release a plugin which will allow more advanced users to run their own scripts after rendering a website – but it is a topic for the next few months.
May 1, 2023 at 10:32 am #9902[anonymous]
I did a comparison with the plain sftp package alone.
The client is the same MacOS, same account and same ssh key.
Server is the same OpenBSD, same account.
The sample program with the package alone authenticates fine and is able to access the server.
Publii attempting the same fails as described above.
Could there be something in the configuration object Publii hands out to the library that forces it to use an incompatible algorithm ssh-rsa instead of ssh2 RSA. ?
npm install ssh2-sftp-client
let Client = require(‘ssh2-sftp-client’);
const fs = require(‘fs’);
let sftp = new Client();
sftp.connect({
<span class=”Apple-converted-space”> </span>host: ‘kb.example.com’,
<span class=”Apple-converted-space”> </span>port: ’22’,
<span class=”Apple-converted-space”> </span>username: ‘kb’,
<span class=”Apple-converted-space”> </span>privateKey: fs.readFileSync(‘/Users/kb/.ssh/id_rsa’)
}).then(() => {
<span class=”Apple-converted-space”> </span>return sftp.list(‘/var/www/htdocs/kb.example.com’);
}).then(data => {
<span class=”Apple-converted-space”> </span>console.log(data, ‘the data info’);
}).catch(err => {
<span class=”Apple-converted-space”> </span>console.log(err, ‘catch error’);
});
node sftp.js
May 1, 2023 at 3:21 pm #9905[anonymous]
The difference in behaviour is due to different versions of the ssh2 package.
Publii builds with version 1.<span class=”x x-first x-last”>11</span>.0 of this package and fails the connections, while the sample code uses version 1.<span class=”x x-first x-last”>12</span>.0 with success.
I built Publii locally, upgraded this package and Publii server connection test to OpenBSD now succeeds. Please find PR on Github.