mritty has asked for the wisdom of the Perl Monks concerning the following question:

I am trying to establish an SFTP connection to a remote server, using SSH keys rather than password authentication. From the command line, this works fine:

$ sftp user@[ipaddress]
Connecting to [ipaddress]...
sftp> ls
[dir1] [dir2]
sftp> bye

[download]

However, when I try to use either Net::SFTP or Net::SFTP::Foreign, it doesn't seem to be using the SSH keys at all, and is instead failing due to trying to use a password.

Net::SFTP:

my $sftp = Net::SFTP->new('[ipaddress]', user => 'user', password => '', debug => 1, ssh_args => { });

With the debugging turned on, here's what I get:

Reading configuration data /scripts//.ssh/config
Reading configuration data /etc/ssh_config
Connecting to [ipaddress], port 22.
Remote protocol version 2.0, remote software version SSHD
Math::BigInt: couldn't load specified math lib(s), fallback to Math::B
+igInt::Calc at /usr/lib/perl5/site_perl/5.8.8/Crypt/DH.pm line 6
Net::SSH::Perl Version 1.34, protocol version 2.0.
No compat match: SSHD
Connection established.
Sent key-exchange init (KEXINIT), wait response.
Algorithms, c->s: 3des-cbc hmac-sha1 none
Algorithms, s->c: 3des-cbc hmac-sha1 none
Entering Diffie-Hellman Group 1 key exchange.
Sent DH public key, waiting for reply.
Received host key, type 'ssh-rsa'.
Host '[ipaddress]' is known and matches the host key.
Computing shared secret key.
Verifying server signature.
Waiting for NEWKEYS message.
Send NEWKEYS.
Enabling encryption/MAC/compression.
Sending request for user-authentication service.
Service accepted: ssh-userauth.
Trying empty user-authentication request.
Authentication methods that can continue: password,publickey,keyboard-
+interactive.
Next method to try is password.
Trying password authentication.
Will not query passphrase in batch mode.
Authentication methods that can continue: password,publickey,keyboard-
+interactive.
Next method to try is password.
Trying password authentication.
Will not query passphrase in batch mode.
Authentication methods that can continue: password,publickey,keyboard-
+interactive.
Next method to try is password.
Trying password authentication.
Will not query passphrase in batch mode.
Received disconnect message: Too many bad authentication attempts!
at /usr/lib/perl5/site_perl/5.8.8/Net/SSH/Perl/AuthMgr.pm line 143

[download]

And with Net::SFTP::Foreign

my $sftp = Net::SFTP::Foreign->new('[ipaddress]', user => 'user', port => 22, password => '',  more => [ '-v' ] );

The debugging output this time is:

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /scripts//.ssh/config
debug1: Applying options for [ipaddress]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [ipaddress] [[ipaddress]] port 22.
debug1: Connection established.
debug1: identity file /scripts/.ssh/hl_xfer type 1
debug1: loaded 1 keys
debug1: Remote protocol version 2.0, remote software version SSHD
debug1: no match: SSHD
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[ipaddress]' is known and matches the RSA host key.
debug1: Found key in /scripts/.ssh/known_hosts2:58
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password,publickey,keyboard
+-interactive
debug1: Next authentication method: keyboard-interactive
Password Authentication
debug1: Authentications that can continue: password,publickey,keyboard
+-interactive
debug1: Next authentication method: password

[download]

At that point, it hangs and I eventually kill it.

If anyone has any clues or insights as to how to repair this, or where it's going wrong, I would be most appreciative.

Replies are listed 'Best First'.
Re: passwordless SFTP works from cmd line, not from modules
by salva (Canon) on Jun 20, 2014 at 21:31 UTC
    Start the sftp session from the command line with the flag -v and look for differences (and also post it here!).

    update: On the Net::SFTP::Foreign you are actually passing a password (even if it is the empty one). That makes the module force password authentication!

[reply]
[d/l]
[select]
Re: passwordless SFTP works from cmd line, not from modules
by Mr. Muskrat (Canon) on Jun 20, 2014 at 20:36 UTC

    Your mileage may vary but here's how I do it with Net::SFTP::Foreign:

    #!/bin/env perl
use strict;
use warnings;
use Net::SFTP::Foreign ();
my ( $host, $user, $timeout ) = ( '<host>', '<user>', 30 ); # typicall
+y from a subroutine call

my $sftp = Net::SFTP::Foreign->new(
    host => $host,
    user => $user,
    timeout => $timeout,
    more => [
        -i => "/some/path/to/$user/.ssh/id_dsa", # the path to your ke
+y file
        -o => 'PreferredAuthentications=publickey',
        '-v',
    ],
);

    [download]
[reply]
[d/l]

Back to Seekers of Perl Wisdom