Cannot connect with SFTP plugin using a private key file

[UncleBO]

2ghisler(Author)
Thank you for answering. I've created new RSA key (SSH-2) using latest version (0.76) of Puttygen but that didn't help, unfortunately. I've contacted Hosting provider's support and get the following reply:
"The OpenSSH daemon on the server was previously updated, which had deprecated some of the older, no longer secure authentication methods. Some older, deprecated keys or protocols could then fail. For the new key, is that using RSA SHA2 or is that SHA1? If the Total Commander program supports debugging or logging for the connection, are you able to turn that on and send us the output that is showing? I'm unfortunately not familiar with Total Commander but many SSH programs will show the specific ciphers and protocols they are trying to use. If that is requiring older ones, we may be able to re-enable it on the server if needed."
Could you please tell me how to get SFTP's log if possible?

[Dalai]

2UncleBO
Enable Configuration > Options > FTP > [x] Create a log file. This will also log operations made by WFX (file-system) plugins. However, it might not log anything useful because the connection is not made at all.

Regards
Dalai

[UncleBO]

2Dalai
I've got the following:
libssh2_userauth_publickey_fromfile: PUBLICKEY_UNRECOGNIZED (18)
Does it mean SFTP cannot read my local public file? Or server-side public file authorized_keys?
Here is my public key:
ssh-rsa AAAA...several lines. Look OK to me. It was pasted from puttygen app as suggested in SFTP plugin's readme.

[Dalai]

2UncleBO
As far as I was able to determine is that this error code might be the same as the one for "authentication failed". Why it fails? No idea so far. Take a look at PuTTY's Eveng Log after the connection has been established to see which algorithms are being used and perhaps which types of keys the server offers (right-click on its window and then on Event Log). This is what it looks like for one of my sytems:

Code: Select all

2021-11-02 18:40:13	Using SSH protocol version 2
2021-11-02 18:40:13	No GSSAPI security context available
2021-11-02 18:40:13	Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (SHA-NI accelerated)
2021-11-02 18:40:13	Server also has ecdsa-sha2-nistp256/rsa-sha2-512/rsa-sha2-256/ssh-rsa host keys, but we don't know any of them
2021-11-02 18:40:13	Host key fingerprint is:
2021-11-02 18:40:13	ssh-ed25519 255 SHA256:<hash_redacted>
2021-11-02 18:40:13	Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
2021-11-02 18:40:13	Initialised HMAC-SHA-256 (SHA-NI accelerated) outbound MAC algorithm
2021-11-02 18:40:13	Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
2021-11-02 18:40:13	Initialised HMAC-SHA-256 (SHA-NI accelerated) inbound MAC algorithm
2021-11-02 18:40:13	Reading key file "E:\Eigene Dateien\Linux\Teefax\teefax.ppk"
2021-11-02 18:40:13	Offered public key
2021-11-02 18:40:13	Offer of public key accepted
2021-11-02 18:40:13	Sent public key signature
2021-11-02 18:40:13	Access granted

BTW, the public key file should NOT have multiple lines! TC's Lister might show it as such but I suggest to make sure that it doesn't contain more than one line (and perhaps a linebreak).

Regards
Dalai

[UncleBO]

2Dalai
Of course it has one line, not multiple, sorry for confusion. Below you can see successful Putty connection log:

Code: Select all

2021-11-03 12:00:24	Looking up host "musiclab.com" for SSH connection
2021-11-03 12:00:24	Connecting to xxx.xx.xx.xx port 22
2021-11-03 12:00:24	We claim version: SSH-2.0-PuTTY_Release_0.76
2021-11-03 12:00:24	Connected to xxx.xx.xx.xx
2021-11-03 12:00:24	Remote version: SSH-2.0-OpenSSH_8.8
2021-11-03 12:00:24	Using SSH protocol version 2
2021-11-03 12:00:24	No GSSAPI security context available
2021-11-03 12:00:24	Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
2021-11-03 12:00:24	Server also has ssh-ed25519/ecdsa-sha2-nistp256 host keys, but we don't know any of them
2021-11-03 12:00:24	Host key fingerprint is:
2021-11-03 12:00:24	ssh-rsa 3072 SHA256:H3zTs9jt/tMA43TTVyEx+rpOZ/4x5rq0t2wW6ZU8H9o
2021-11-03 12:00:24	Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
2021-11-03 12:00:24	Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm
2021-11-03 12:00:24	Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
2021-11-03 12:00:24	Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm
2021-11-03 12:00:24	Reading key file "C:\Users\boril\Putty\borilov.ppk"
2021-11-03 12:00:25	Offered public key
2021-11-03 12:00:25	Offer of public key accepted
2021-11-03 12:00:33	Sent public key signature
2021-11-03 12:00:33	Access granted
2021-11-03 12:00:33	Opening main session channel
2021-11-03 12:00:33	Remote debug message: /usr/home/musiclabcom/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
2021-11-03 12:00:33	Remote debug message: /usr/home/musiclabcom/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
2021-11-03 12:00:33	Opened main channel
2021-11-03 12:00:33	Allocated pty
2021-11-03 12:00:33	Started a shell/command

[UncleBO]

Got a reply from hosting provider's support:

I see your successful Putty connection in our logs as well. Your logs show that's using the SHA256 key as it should be. Our side of the connection
does not log verobse negotiation, so merely shows:

Nov 3 05:00:33.000 xxx.xxx.com sshd[24535]: Accepted publickey for xxx from xxx.xxx.xxx.xxx port 10556 ssh2: RSA
SHA256:fo244MLR656jlh/zxGxhmR/l2xZGe04mHNBZ6P8OYYM

I'm not sure if the Total Commander software supports that newer encryption format, but that seems likely to be the issue. You might want to reach back out to the Total Commander developers to let them know you have already regenerated your keys in the modern format, they are functional in other programs (Putty) but you are still having problems with Total Commander. I would ask them if the program supports rsa-sha2-256 encryption methods.

Please advise.

[Dalai]

It looks like your hosting provider's support is right. Because of their mail and your PuTTY log I did some digging and testing. It's very likely that the following recent change in OpenSSH is responsible for this:

https://www.openssh.com/releasenotes.html

Code: Select all

OpenSSH 8.8/8.8p1 (2021-09-26)
[...]
Potentially-incompatible changes
================================

This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]

For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.

Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination host:

    Host old-host
        HostkeyAlgorithms +ssh-rsa
	PubkeyAcceptedAlgorithms +ssh-rsa

Just tested the following on the same host as previously:

1. Connected via SFTP plugin to it, successfully
2. Added the following option to /etc/ssh/sshd_config

   Code: Select all

   PubkeyAcceptedKeyTypes -ssh-rsa

   to disable ssh-rsa algorithms like it's the default in the latest OpenSSH release. (Since this is an older release of OpenSSH server, it doesn't know the keyword PubkeyAcceptedAlgorithms as mentioned on the OpenSSH site.)
3. Restarted SSH server
4. Tried to connect again via SFTP plugin, unsuccessfully. I just got this error message

   Code: Select all

   ---------------------------
   SFTP Error
   ---------------------------
   Fehler: Authentifizierung via Benutzerzertifikat fehlgeschlagen!
   
   ---------------------------
   OK   
   ---------------------------

   which roughly means "authentication via user certificate failed". The /var/log/auth.log on the server contains this line

   Code: Select all

   userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedKeyTypes [preauth]

If you have access to the sshd_config, you could add "PubkeyAcceptedAlgorithms +ssh-rsa" to it, that is as long as the SFTP plugin doesn't support anything newer.

@Ghisler:
Speaking of which, it looks like the plugin needs to be updated once again to support this change/algorithm, if it doesn't already do so via some INI option.

Regards
Dalai

[ado]

I used to have similar problem. SFTP plugin worked fine for me till one nice day it stopped working. As I found later, it was related to to some windows update. To bring it back to working state all I needed to do was to download the new version of ssh libraries (libssh2.dll) that are not part of plugin but needs to be in the same dir as plugin.

[ghisler(Author)]

Have you tried to create an ssh-ed25519 key instead? My SFTP plugin prefers this elliptic curve method when it's available.

[UncleBO]

2ghisler(Author)
I've created ssh-ed25519 key instead and it works with my server. Thank you.

[Phnyx]

In the help file to the sftp plugin it says:

You can now store the key in Putty's pageant.exe tool.
Pageant can be launched when needed by putting a link
in the plugin directory named pageant.lnk pointing to
c:\PathToPutty\pageant.exe cert_file_name

Does this mean I can point to a .ppk file?
I tried to follow the description, but trying to connect I get:
"Connection broken, Connect again?"
And pressing the Yes-button, I get "Not connected".
I also created the .pub and .pem files with same result.
Where should I put these two files?

[ghisler(Author)]

Does this mean I can point to a .ppk file?

You are mixing up two different things:
1. If you use Pageant, leave the public/private key fields empty. You will have to add your key to Pageant and make sure it is running. You can use the pageant.lnk file to launch Pageant from the plugin, but this is only needed when Pageant isn't started with the system.

OR

2. If you don't use Pageant, you need to provide the public/private keys in OpenSSH format. You can find a description on how to convert a ppk key to the required format by clicking on the "?" button behind the "Public key file" header in the connection settings (Alt+Enter on connection name).

[Phnyx]

Thank you for your answer.
1. I think this is what i did.
I created a folder for Pageant.exe and referred to it in the pageant.lnk:
c:\Totalcmd\Plugins\Pageant\pageant.exe cert_file_name ***.ppk

2. I used the description in the sftp-readme file to create the public and private key-files.

After installing the sftp-plugin I get the same window for setting up an ftp-connection as before - and so I have no Public key file header. Should I get a special sftp-setup? And if so, how do I get it?

Sorry - I now realize I have to use net-connection - I will try that.

[Phnyx]

OK - so far go good. I now get a request for a private key passphrase. What is that?
Edit: OK - so I guess that is my own password for the connection.
Having set that, I still cannot connect. Working on it

[Phnyx]

I now got this far:
If I start Pageant and add the ppk-key, I can connect to server.
But if I shut down Pageant and use the method with pageant.lnk I can not connect.
My pageant.lnk (which is placed in the Plugins-folder) looks like this:
c:\totalcmd\plugins\pageant\pageant.exe xxx.ppk
And the path is right. I also tried to put the full path to the ppk-file (which shares folder with pageant.exe), with no success.
I would really prefer not to have to start pageant.exe separately and add the ppk-file to connect.
What is my error here?
Edit:
A .cmd-file with this content starts Pageant with the code file loadet, and connection works:
start c:\totalcmd\plugins\pageant\pageant.exe c:\totalcmd\plugins\pageant\xxx.ppk
exit

But if I put this content in the pageant.lnk file (located in Plugins-folder), I do not get a connection.
c:\totalcmd\plugins\pageant\pageant.exe c:\totalcmd\plugins\pageant\xxx.ppk
On the contrary I get a popup which suggests I make a pageant.lnk file
So the plugin obviously does not recognize the .lnk-file.
I don't quite get it.