Feature #7327
closedadd working sftp support to sshd daemon
0%
Description
A very trivial change is required to have sftp support working. The existing code sftp fails in my ftp client.
Attaching a patch, however this patch is only showing the changes required for sshd_config, the config itself is regenerated every time the system boots up, so the script that generates the config will need patching.
Files
Updated by Jim Pingle about 7 years ago
- Category set to Operating System
- Target version set to 2.4.0
What client does not work?
It looks like the internal method is preferred now, that line in our config hasn't changed in ~12 years so it's probably just there because it's always been there.
Please submit the change suggestion as a github pull request, the line that would need changed is https://github.com/pfsense/pfsense/blame/master/src/etc/sshd#L107
The /etc/sshd script regenerates the sshd_config file so changing the script that generates the file will ensure the change is maintained.
Updated by Chris Collins about 7 years ago
Ok I will submit later today and for the script that generates.
The client is flashfxp.
Updated by Jim Pingle about 7 years ago
- Target version changed from 2.4.0 to Future
Testing that change, it breaks our chroot mechanism, and breaks the ssh tunnel only user, in both cases they get more access than they are supposed to. I don't think this going to be a viable change.
You can keep the patch installed on your system locally but at this time it won't be accepted.
If those concerns can be addressed, it may be possible in the future but it would require much more complex changes to the sshd configuration to accomplish the chroot setup, and I'm not sure if the tunnel user would be viable at all in that scenario.
Updated by Kill Bill about 7 years ago
Yeah, the "internal" SFTP thing was completely broken last time I tried that for #7012 - better not touched.
Updated by Chris Collins about 7 years ago
Well the current system is broken as well. If you can provide an example on how to test ssh tunneling (I dont use ssh tunneling on my pfsense box), then I will see if I can come up with a solution that doesnt break it.
The error flashfxp reports on the stock pfsense configuration is that it is unable to access the sftp binary, so it looks like the core problem is chroot breaks access to it. The fix might be as simple as copying the sftp binary to a location inside the chroot.
Is odd kill bill had the exact opposite problem, for me SCP is fine, but SFTP required this change to get to work. However winscp is way less convenient to use than a ftp client using SFTP.
By the way is there a benefit applying chroot to an account with root privileges? Do people actually use non root accounts on pfsense?
Updated by Jim Pingle about 7 years ago
- Status changed from New to Rejected
The current setup works in every scp/sftp client we typically see. scp, filezilla, winscp, ultraedit, etc.
We can't risk such a large change to fix one broken client. If it was as simple as swapping that line, sure, but doing so breaks others so it's not going to happen.
Figure out why the client is broken and fix the client.
Updated by Chris Collins about 7 years ago
Jim I should clarify the error comes from pfsense SSHD daemon, the client only reports the error sent from the server. I dont know how you determined the client is broken, as I can of course use the same logic then I can login to 100s of servers with flashfxp but not pfsense.
I also tested using the sftp client as part of the openssh package and without my patch it fails. If you dont want to let me fix because Kill Bill doesnt like it then fine :) But its not a client problem.
In which case you should of course state pfsense only supports SSH/SCP but not SFTP.
Updated by Chris Collins about 7 years ago
filezilla not working at all
Response: fzSftp started, protocol_version=5
Command: keyfile "F:\Users\Chris\My Documents\chriskey.ppk"
Command: open "admin@192.168.1.253" 22
Status: Connected to 192.168.1.253
Error: Received unexpected end-of-file from SFTP server
Error: Could not connect to server
Updated by Chris Collins about 7 years ago
ok here is output from pfsense sftp client using the default configuration
root@PFSENSE backup # sftp admin@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:AmZbZZzUCOTznh/L+bcIPIjVJM8UUis/ZkeQTACMZrw.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
Received message too long 1044266528
output using the internal sftp
root@PFSENSE backup # sftp admin@127.0.0.1
Connected to 127.0.0.1.
sftp>
is the pfsense sftp client broken?
So the problem is confirmed with filezilla, sftp binary and flashfxp. If you really do not welcome a fix then I Wont spend more time on this and just keep it patched locally.
Updated by Jim Pingle about 7 years ago
Those all work here. So perhaps it is a configuration issue or a completely different problem. Let's move this to the forum until the exact issue with your setup can be determined.
Either way it's not a problem with the ssh daemon configuration, so the contents of this ticket as-is are incorrect.
Updated by Chris Collins about 7 years ago
Will leave this as it is, and just keep my local system, patched, if you decide you want to look into it, I can work on a better patch that doesnt cause the problems you found.
I believe nothing to be unusual about my local pfsense ssh configuration, I added a ssh key for authentication, disabled password auth and thats it.
Updated by Jim Pingle about 7 years ago
More likely it's related to your account settings / privileges / config but that's all things we should discuss on the forum, since this isn't a discussion/support platform. I wouldn't just leave it as-is and patch away what could be a completely different problem you're hitting.
Updated by Chris Collins about 7 years ago
I had a look and it was missing scp privledges which I added but it had no affect.
Then I found this page
It seems the reason internal-sftp works is because it doesnt check for the presence of the user's shell in passwd and also doesnt process files like the motd and bashrc
The admin account on pfsense has /etc/rc.initial as its shell and this has long output, and its why sftp is failing.
When I made a test account with ssh/scp access I can confirm it works in all clients.
Jim did you test with the admin account with the default /etc/rc.initial?
Also there is already a thread on the forum about this, I can update there as well.
root@PFSENSE ~ # sftp admin@127.0.0.1
Received message too long 1044266528
root@PFSENSE ~ # sftp test@127.0.0.1
Connected to 127.0.0.1.
sftp> quit
quit
root@PFSENSE ~ #
Updated by Jim Pingle about 7 years ago
Admin has never worked for SCP/SFTP and it's been documented that way for years. Always use root or a different account.
https://doc.pfsense.org/index.php/HOWTO_enable_SSH_access#SCP_File_Transfers
Updated by Chris Collins about 7 years ago
ok apologies for wasting time on this