mithunbh has asked for the wisdom of the Perl Monks concerning the following question:

So we have a huge setup of SFTP connections and their configurations and now we are encountering situations where we have to tune the Preferred Authentication. Since the basis of Net::SFTP::Foreign was supposed be to piggy back on the underlying ssh libraries we naively assuming ~/.ssh/config would be fully honored except that the module has chosen to explicitly override Preferred Authentication.

Does anyone have suggestions what can be done to stop the module from overriding it other than explicitly forking off from the package ?

  • Comment on Preferred authentication in Net::SFTP::Foreign

Replies are listed 'Best First'.
Re: Preferred authentication in Net::SFTP::Foreign
by salva (Canon) on Feb 09, 2016 at 09:23 UTC
    Net::SFTP::Foreign does not override the value for PreferredAuthentications unless you explicitly pass a password or a key.

    The underlaying problem is that the module knows very little about how ssh would handle authentication and so for those specific two cases it sets PreferredAuthentications in order to have a more predictable process.

    Could you give us a more elaborated description of your particular cases?

[reply]
[d/l]
[select]
      The scenario we are trying to handle is where the public key is used for authentication followed by password. This is handled correctly by SFTP without any special commands or configuration.

      Our .ssh/config also has PreferredAuthentication correctly set. This is becoming a very common setup in the Financial domain and I have also seen older posts on perlmonk where people have requested this to work automatically.

      My only issue is that there is no control over PreferredAuthentication in a generic way - I can't turn off the autodetection and I can't see any benefit in the autodetection either. Could you please share what exactly was being addressed by the override - the ssh library does honor .ssh/config so why would we be forced to pass the PreferredAuthentication if sftp doesn't need it by default ?
[reply]
        This is handled correctly by SFTP without any special commands or configuration.
        Yes, except for the case where you want the password passed automatically, right?
        Could you please share what exactly was being addressed by the override

        As I toll you in my previous post, PreferredAuthentications is overriden in order to have a more controlled authentication process. Once ssh is launched there is no generic, reliable way to detect that authentication has succeeded and that the SFTP protocol can go on.

        For instance, one case that we have to handle is when the user wants to perform password authentication but for some reason it has also a proper authorized key. With the default PreferredAuthentication, ssh authenticates using the key and never goes to request the password, while Net::SFTP::Foreign hangs there waiting for the password prompt to appear.

        For your particular case, if you just use a convenient value for PreferredAuthentication, doesn't it work? For instance: 

        my $sftp = Net::SFTP::Foreign->new($host,
                                   user => $user, password => $passwor
+d,
                                   more => [-o => 'PreferredAuthentica
+tion=publickey,password']);

        [download]

        In any case, note that if you pass a password to the constructor it will wait for the password prompt to appear, and if it authenticates by other method it will hang there until the timeout expires and then it will close the connection and return an error.

        If what you need is optional password authentication, it is better to go looking into my other module Net::OpenSSH (which can be used with Net::SFTP::Foreign). It doesn't support that feature yet, but it could be done reliably there.

[reply]
[d/l]
[select]
        $ sftp -v -oPort=xxxx xxxxxx@sft.statestreet.com
Connecting to sft.statestreet.com...
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /xxx/.ssh/config
debug1: Applying options for sft.statestreet.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to sft.statestreet.com [192.250.167.3] port xxxx.
debug1: Connection established.
debug1: identity file /xxx/.ssh/id_rsa type 1
debug1: identity file /xxx/.ssh/id_dsa type 2
debug1: loaded 2 keys
debug1: Remote protocol version 2.0, remote software version SSHD
debug1: no match: SSHD
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sft.statestreet.com' is known and matches the RSA host k
+ey.
debug1: Found key in /xxx/.ssh/known_hosts:173
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
***ATTENTION!! ATTENTION!! ATTENTION!!*** We recommend that all client
+s use the most reliable and secure client software. You should work w
+ith your client relationship contact as soon as possible if you are c
+urrently using: 1. All versions of FDX client for all operating syste
+ms 2. All versions of Tumbleweed ST Client (4.1.2, 4.2, 4.5.x) Reques
+ts to replace this with supported Axway SecureClient software version
+ 6.1 can be generated by your client relationship contact, and the IB
+M Data Transport team can work with you to ensure a correct install i
+s in place. Documentation for the new software will be provided with 
+install packages. ***ATTENTION!! ATTENTION!! ATTENTION!!***
debug1: Authentications that can continue: password,publickey,keyboard
+-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /xxx/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: read PEM private key done: type RSA
Authenticated with partial success.
debug1: Authentications that can continue: password,publickey,keyboard
+-interactive
debug1: Offering public key: /xxx/.ssh/id_dsa
debug1: Authentications that can continue: password,publickey,keyboard
+-interactive
debug1: Next authentication method: keyboard-interactive
Password Authentication
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_ALL = C
debug1: Sending subsystem: sftp

        [download]
[reply]
[d/l]
Re: Preferred authentication in Net::SFTP::Foreign
by Corion (Patriarch) on Feb 08, 2016 at 22:16 UTC

    Searching for "Preferred" in Net::SFTP::Foreign yields an example where you can explicitly supply that option. Or maybe I'm misunderstanding where your problem is. Do you want to specify all options in ~/.ssh/config? From a quick reading of Net::SFTP::Foreign::Backend::Unix, it should pass through all PreferredAuthentications through, but if you need per-host variations, you'll have to solve that on the Perl side maybe.

[reply]
[d/l]
[select]
      And that is where my problem is - if I have to configure PreferredAuthentication I would do it in .ssh/config which will be honored by SSH/SFTP and everyone else.

      Unfortunately Net::SFTP::Foreign has chosen to override PreferredAuthentication and tried to do some sort of autodetection where none is really required.

      I am really considering just forking off Net::SFTP::Foreign::Backend::Unix and purge that craziness :)
[reply]

Back to Seekers of Perl Wisdom