SFTP failing – due to using an outdated authentication algorithm or protocol?
- This topic has 5 replies, 3 voices, and was last updated 11 months, 2 weeks ago by .
March 2, 2022 at 7:22 pm #7003kb
I’m trying to upload my site to my server using SFTP, but “An error occurred during connection to the server …”.
I am using key authentication. Looking at Publii logs, I can see authentication failing:
[Wed, 02 Mar 2022 18:07:23 GMT] ERR (1): Error: sftpConnect: All configured authentication methods failed
The server is running OpenBSD 7.0 and when Publii fails to synchronize, I can see the authlog as follows:
Mar 2 19:59:46 server sshd: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Mar 2 19:59:46 server sshd: Received disconnect from x.x.x.x port 40580:11:[preauth]
I have double checked the settings and everything should be good.
When connecting from MacOS shell using sftp using the very same key, everything works as expected. In the server log I can see this instead:
Mar 2 20:00:54 server sshd: Accepted publickey for kb from x.x.x.x port 55401 ssh2: RSA SHA256:ZZ…
Is there any workaround or simple fix on the Publii client side for this?
Unfortunately changing the server configuration to allow old authentication mechanisms is not an option here.March 8, 2022 at 12:11 pm #7027Tomasz Dziuda
Nearest release – v.0.39 which is planned for the next week will contain bigger update of the SFTP dependency – I suppose that it can solve your issue. Temporary you can use manual deployment method: https://getpublii.com/docs/server-configuration.html#manual which is always a fallback for all issues with sync methods.
Do you appreciate the support you've received today? If so, consider donating to the Publii team by clicking here; we'll be sure to use your donation to make Publii even better!March 8, 2022 at 6:39 pm #7035kb
Thanks, looking forward to try it out. I found the tar archive output being pretty good workaround as well.March 23, 2022 at 7:17 pm #7164kb
Unfortunately with Version: 0.39.1 (build 15483) the problem still persists.
Logs on the OpenBSD server still look the same when I press the “Test connection” -button on the server type configuration page.
Publii claims that “Application was able to connect with your server but was unable to store files…”, but based on the server log that is not true.
Using the exact same key file with MacOS ssh works fine and permissions on the target directory are fine for writing.
Please let me know if there’s anything I can do to help you troubleshoot and/or fix this. For myself, the tar workaround is fine, but non-technical users would benefit from a direct sftp upload for sure.April 12, 2022 at 3:10 pm #7247andreas@wycom
I have a similar issue with a server that has a very old ssh/sftp server. It seems that Publii has changed something in the sftp protocol/library between version 0.35.3 and 0.39.1. In the older version the sftp connection works, in the newer it doesn’t. The “Test connection” gives the following Error message:
Error! Application was able to connect with your server but was unable to store files. Please check file permissions on your server.
Using scp e.g. from Mobaxterm, the connection works fine. Looking at the sshd logs on the server it says:
fatal: no kex alg
It seems that Publii 0.39.1 is more restrictive in the KexAlgorithms allowed. It should allow older kex algorithms like “diffie-hellman-group-exchange-sha1”. Could you check what has been changed and if this can be reverted? Thanks.April 19, 2022 at 5:21 pm #7312Tomasz Dziuda
I have always test the SFTP deployment with my VPS using my keys and it works. I suppose that this problem is related to the ssh2 library which is used in our SFTP deployment method. I do not see errors relatd to `no kex alg` and I suppose that we will be unable to fix this problem as it is an issue with dependency. So I suppose that always there will be small subset of servers where SFTP deployment method won’t work due a big amount of possible configurations.
That’s why we have prepared the manual deployment solution. Also in the future we will release a plugin which will allow more advanced users to run their own scripts after rendering a website – but it is a topic for the next few months.
Do you appreciate the support you've received today? If so, consider donating to the Publii team by clicking here; we'll be sure to use your donation to make Publii even better!
- You must be logged in to reply to this topic.