Bug 2999 - Sftp login failed by sftp user@[ip] in openssh 7.9
Summary: Sftp login failed by sftp user@[ip] in openssh 7.9
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sftp (show other bugs)
Version: 7.9p1
Hardware: ix86 Linux
: P5 major
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_8_1
  Show dependency treegraph
 
Reported: 2019-04-26 16:15 AEST by guo chuang
Modified: 2020-02-14 15:59 AEDT (History)
3 users (show)

See Also:


Attachments
Check for user@host when parsing sftp target. (848 bytes, patch)
2019-04-29 09:11 AEST, Darren Tucker
djm: ok+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description guo chuang 2019-04-26 16:15:01 AEST
Sftp login failed by sftp user@[ip] in openssh 7.9. 
for example, sftp root@[127.0.0.1]
Comment 1 guo chuang 2019-04-28 13:13:17 AEST
Logging in to a host with an ipv6 address has the same problem。for example,sftp root@[2000:188:188:188::180]
Comment 2 Darren Tucker 2019-04-28 13:21:23 AEST
What options did you give to configure?  Can you provide some more information about the platform?  Linux/x86 covers a lot of ground.

Please attach (via "add an attachment") both the server-side debug log and the client debug log.  You can create this by running "/path/to/sshd -p222 -ddde" on the server and adding "-oPort=222 -vvv" to the sftp command line.
Comment 3 guo chuang 2019-04-28 16:18:14 AEST
platform information:
3.10.0-693.21.1.el7.x86_64 #1 SMP Thu Apr 18 19:26:34 CST 2019 x86_64 x86_64 x86_64 GNU/Linux

client output:
[root@localhost ~]# sftp -oPort=222 -vvv root@[127.0.0.1]
OpenSSH_7.9p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 53: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 2: include /etc/crypto-policies/back-ends/openssh.config matched no files
debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *
debug2: resolving "[127.0.0.1]" port 222
/etc/host.conf: line 1: bad command `nospoof on'
ssh: Could not resolve hostname [127.0.0.1]: Name or service not known
Connection closed.
Connection closed

server output:
[root@localhost ~]# /usr/sbin/sshd -p222 -ddde
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 1237
debug2: parse_server_config: config /etc/ssh/sshd_config len 1237
debug3: /etc/ssh/sshd_config:22 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:23 setting HostKey /etc/ssh/ssh_host_ecdsa_key
debug3: /etc/ssh/sshd_config:24 setting HostKey /etc/ssh/ssh_host_ed25519_key
debug3: /etc/ssh/sshd_config:40 setting SyslogFacility AUTHPRIV
debug3: /etc/ssh/sshd_config:46 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:55 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:63 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:68 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:72 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:73 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:77 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:87 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:88 setting GSSAPICleanupCredentials no
debug3: /etc/ssh/sshd_config:104 setting UsePAM yes
debug3: /etc/ssh/sshd_config:115 setting PrintMotd no
debug3: /etc/ssh/sshd_config:135 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:136 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:137 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
debug3: /etc/ssh/sshd_config:138 setting AcceptEnv XMODIFIERS
debug3: /etc/ssh/sshd_config:141 setting Subsystem sftp    /usr/libexec/openssh/sftp-server
debug3: /etc/ssh/sshd_config:149 setting Ciphers aes128-ctr,aes192-ctr,aes256-ctr
debug3: /etc/ssh/sshd_config:150 setting Protocol 2
debug2: /etc/ssh/sshd_config line 150: Deprecated option Protocol
debug3: /etc/ssh/sshd_config:151 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:152 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:153 setting MaxAuthTries 4
debug3: /etc/ssh/sshd_config:154 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:155 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:156 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:157 setting PermitUserEnvironment no
debug3: /etc/ssh/sshd_config:158 setting ClientAliveInterval 300
debug3: /etc/ssh/sshd_config:159 setting ClientAliveCountMax 0
debug3: /etc/ssh/sshd_config:160 setting LoginGraceTime 60
debug3: /etc/ssh/sshd_config:161 setting Banner /etc/issue.net
debug3: /etc/ssh/sshd_config:162 setting KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
debug3: kex names ok: [curve25519-sha256@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521]
debug1: sshd version OpenSSH_7.9, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: private host key #0: ssh-rsa SHA256:JNXgm/Hu3ggGJt7D36qlpfTnviRDrvFyY91fgUdFCDQ
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:gOJ3z2IFidxCFIROUfil58OBUa0f/6TTrsNTmu7blG4
debug1: private host key #2: ssh-ed25519 SHA256:H5tKtOabvsEjiVLCEpmrRhTk0U5Njpxz86OUff4MX20
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p222'
debug1: rexec_argv[2]='-ddde'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 222 on ::.
Server listening on :: port 222.
Comment 4 Darren Tucker 2019-04-28 17:01:45 AEST
(In reply to guo chuang from comment #3)
[...]
> debug2: resolving "[127.0.0.1]" port 222
> /etc/host.conf: line 1: bad command `nospoof on'
> ssh: Could not resolve hostname [127.0.0.1]: Name or service not known
> Connection closed.

Looks like you have the client's resolver misconfigured.  The debug shows the server never receives a connection.
Comment 5 guo chuang 2019-04-28 17:21:33 AEST
First of all, I also think that it has nothing to do with the server. I think it should be that the sftp client code cannot filter the character "[]" of the string in [ip], which prevents the correct IP from being used to establish the connection.
  In addition, using the sftp client of openssh 7.6 in the same environment is normal, so I suspect that the processing of the sftp client is problematic.
Comment 6 Darren Tucker 2019-04-28 18:43:26 AEST
ah, ok, I didn't get that it was specifically about the square brackets.  I can reproduce locally, I'll take a look.
Comment 7 Darren Tucker 2019-04-28 19:22:04 AEST
I bisected it and it stopped working at:

887669ef032d63cf07f53cada216fa8a0c9a7d72 is the first bad commit
commit 887669ef032d63cf07f53cada216fa8a0c9a7d72
Author: millert@openbsd.org <millert@openbsd.org>
Date:   Sat Oct 21 23:06:24 2017 +0000

    upstream commit
    
    Add URI support to ssh, sftp and scp.  For example
    ssh://user@host or sftp://user@host/path.  The connection parameters
    described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since
    the ssh fingerprint format in the draft uses md5 with no way to specify the
    hash function type.  OK djm@
    
    Upstream-ID: 4ba3768b662d6722de59e6ecb00abf2d4bf9cacc
Comment 8 Darren Tucker 2019-04-29 08:00:15 AEST
I think I see what happened. sftp's command line parsing does this:

if (parse_user_host_path(*argv, &user, &host,
    &file1) == -1) {
	/* Treat as a plain hostname. */
	host = xstrdup(*argv);
	host = cleanhostname(host);
}

cleanhostname() removes the square brackets by looking at the first and last characters, but in your example it'll get the username too and so do nothing.
Comment 9 Darren Tucker 2019-04-29 09:11:45 AEST
Created attachment 3273 [details]
Check for user@host when parsing sftp target.

Please try this patch, which should fix it.  It's against -current, but should apply to 7.9p1.
Comment 10 guo chuang 2019-04-29 16:33:04 AEST
 In fact, I also tried to fix it before, the patch is as follows:


 int in, out, ch, err, tmp, port = -1;
-       char *host = NULL, *user, *cp, *file2 = NULL;
+       char *host = NULL, *user, *userhost, *cp, *file2 = NULL;
        int debug_level = 0, sshver = 2;
        char *file1 = NULL, *sftp_server = NULL;
        char *ssh_program = _PATH_SSH_PROGRAM, *sftp_direct = NULL;
@@ -2496,8 +2496,24 @@
                default:
                        if (parse_user_host_path(*argv, &user, &host,
                            &file1) == -1) {
+
                                /* Treat as a plain hostname. */
-                               host = xstrdup(*argv);
+                               userhost = xstrdup(*argv);
+                               if ((host = strrchr(userhost, '@')) == NULL)
+                                    host = userhost;
+                                 else {
+                                    *host++ = '\0';
+                                    if (!userhost[0]) {
+                                        fprintf(stderr, "Missing username\n");
+                                        usage();
+
+                                       }
+
+                                     //because *host++='\0',so then userhost str include username.
+                                    user=userhost;
+
+                                }


The above patch self-test is ok  。
+
                                host = cleanhostname(host);
                        }
                        break;
Comment 11 Jakub Jelen 2019-04-29 18:38:15 AEST
See also:

https://bugzilla.mindrot.org/show_bug.cgi?id=2899
Comment 12 guo chuang 2019-04-29 19:03:49 AEST
(In reply to Jakub Jelen from comment #11)
> See also:
> 
> https://bugzilla.mindrot.org/show_bug.cgi?id=2899

I think it should have nothing to do with this bug. This patch has been incorporated in openssh 7.9, and this patch only affects scp.
Comment 13 guo chuang 2019-04-29 19:41:02 AEST
(In reply to Darren Tucker from comment #9)
> Created attachment 3273 [details]
> Check for user@host when parsing sftp target.
> 
> Please try this patch, which should fix it.  It's against -current,
> but should apply to 7.9p1.


1. I tried this patch and the problem still exists. Have you ever tested before?
2. I think this patch does not seem to handle the square brackets in [ip].

3. Also, I have submitted a patch to github. The patch link is as follows:
   Https://github.com/guochuang2008/opensshportable/commit/a5642196dcf5067d91dabaa03e0bc6cb90118be4


4. Trouble with time to help review the patch I submitted.

 thank you!
Comment 14 Darren Tucker 2019-04-29 20:48:29 AEST
(In reply to guo chuang from comment #13)
[...]
> 1. I tried this patch and the problem still exists.

Did you run the newly patched binary?

> Have you ever tested before?

Yes, built against -current.  Just retested it with 7.9p1 and it also seems to work for me:

$ ./sftp root@[127.0.0.1]
ssh: Could not resolve hostname [127.0.0.1]: Name or service not known
Connection closed.  
Connection closed
$ patch -p0 <~/tmp/sftp-host-squarebracket.patch 
patching file sftp.c
$ make
[...]
$ ./sftp root@[127.0.0.1]
Connected to 127.0.0.1.

Do you have a different test case?
Comment 15 guo chuang 2019-04-30 11:52:32 AEST
1. First of all, please help me to confirm that the patch I am joining is correct. The patch is as follows:
diff -aruN openssh-7.9p1-org/sftp.c openssh-7.9p1/sftp.c
--- openssh-7.9p1-org/sftp.c    2019-04-29 14:35:19.097608142 +0800
+++ openssh-7.9p1/sftp.c        2019-04-29 14:57:42.013557705 +0800
@@ -2495,11 +2495,16 @@
                        break;
                default:
                        if (parse_user_host_path(*argv, &user, &host,
-                           &file1) == -1) {
-                               /* Treat as a plain hostname. */
-                               host = xstrdup(*argv);
-                               host = cleanhostname(host);
-                       }
+                           &file1) == 0)
+                              break;
+
+                       if (parse_user_host_path(*argv, &user, &host,NULL)
+                           == 0)
+                                break;
+
+                       /* Treat as a plain hostname. */
+                       host = xstrdup(*argv);
+                       host = cleanhostname(host);
                        break;
                }
                file2 = *(argv + 1);

2.If the above patch does not have a join problem, the binary I used should be correct. Because I used gdb to debug the sftp code, the patch code has been reflected in the new binary. The specific debugging information is as follows:
(gdb) list 2497
2492                    case 0:
2493                            if (tmp != -1)
2494                                    port = tmp;
2495                            break;
2496                    default:
2497                            if (parse_user_host_path(*argv, &user, &host,
2498                                &file1) == 0)
2499                                   break;
2500
2501                            if (parse_user_host_path(*argv, &user, &host,NULL)
(gdb) list 2500
2495                            break;
2496                    default:
2497                            if (parse_user_host_path(*argv, &user, &host,
2498                                &file1) == 0)
2499                                   break;
2500
2501                            if (parse_user_host_path(*argv, &user, &host,NULL)
2502                                == 0)
2503                                    break;
2504
(gdb) n
2506                            host = xstrdup(*argv);
(gdb) n
2507                            host = cleanhostname(host);
(gdb) n
2512                    if (!*host) {
(gdb) n
2510                    file2 = *(argv + 1);
(gdb) n
2512                    if (!*host) {
Comment 16 guo chuang 2019-04-30 12:32:38 AEST
(In reply to Darren Tucker from comment #14)
> (In reply to guo chuang from comment #13)
> [...]
> > 1. I tried this patch and the problem still exists.
> 
> Did you run the newly patched binary?
> 
> > Have you ever tested before?
> 
> Yes, built against -current.  Just retested it with 7.9p1 and it
> also seems to work for me:
> 
> $ ./sftp root@[127.0.0.1]
> ssh: Could not resolve hostname [127.0.0.1]: Name or service not
> known
> Connection closed.  
> Connection closed
> $ patch -p0 <~/tmp/sftp-host-squarebracket.patch 
> patching file sftp.c
> $ make
> [...]
> $ ./sftp root@[127.0.0.1]
> Connected to 127.0.0.1.
> 
> Do you have a different test case?


1. First of all, please help me to confirm that the patch I am joining is correct. The patch is as follows:
diff -aruN openssh-7.9p1-org/sftp.c openssh-7.9p1/sftp.c
--- openssh-7.9p1-org/sftp.c    2019-04-29 14:35:19.097608142 +0800
+++ openssh-7.9p1/sftp.c        2019-04-29 14:57:42.013557705 +0800
@@ -2495,11 +2495,16 @@
                        break;
                default:
                        if (parse_user_host_path(*argv, &user, &host,
-                           &file1) == -1) {
-                               /* Treat as a plain hostname. */
-                               host = xstrdup(*argv);
-                               host = cleanhostname(host);
-                       }
+                           &file1) == 0)
+                              break;
+
+                       if (parse_user_host_path(*argv, &user, &host,NULL)
+                           == 0)
+                                break;
+
+                       /* Treat as a plain hostname. */
+                       host = xstrdup(*argv);
+                       host = cleanhostname(host);
                        break;
                }
                file2 = *(argv + 1);

2.If the above patch does not have a join problem, the binary I used should be correct. Because I used gdb to debug the sftp code, the patch code has been reflected in the new binary. The specific debugging information is as follows:
(gdb) list 2497
2492                    case 0:
2493                            if (tmp != -1)
2494                                    port = tmp;
2495                            break;
2496                    default:
2497                            if (parse_user_host_path(*argv, &user, &host,
2498                                &file1) == 0)
2499                                   break;
2500
2501                            if (parse_user_host_path(*argv, &user, &host,NULL)
(gdb) list 2500
2495                            break;
2496                    default:
2497                            if (parse_user_host_path(*argv, &user, &host,
2498                                &file1) == 0)
2499                                   break;
2500
2501                            if (parse_user_host_path(*argv, &user, &host,NULL)
2502                                == 0)
2503                                    break;
2504
(gdb) n
2506                            host = xstrdup(*argv);
(gdb) n
2507                            host = cleanhostname(host);
(gdb) n
2512                    if (!*host) {
(gdb) n
2510                    file2 = *(argv + 1);
(gdb) n
2512                    if (!*host) {

3. my test case is as follows:
sftp root@[127.0.0.1]
Comment 17 Darren Tucker 2019-05-03 14:06:10 AEST
Yeah that's it.  I don't understand why you're seeing different results to what I am :-(

$ git checkout V_7_9_P1
HEAD is now at aede1c34 Require OpenSSL 1.1.x series 1.1.0g or greater
$ git status
HEAD detached at V_7_9_P1
nothing to commit, working tree clean
$ lynx -source 'https://bugzilla.mindrot.org/attachment.cgi?id=3273' | patch -p0
patching file sftp.c
Hunk #1 succeeded at 2494 (offset 16 lines)
$ autoreconf && ./configure && make -j4 && sudo make install
[...]
$ ./sftp -v root@[127.0.0.1]
OpenSSH_7.9p1, OpenSSL 1.1.0g  2 Nov 2017
[...]
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
[...]
root@127.0.0.1's password:
Comment 18 Damien Miller 2019-08-09 15:10:14 AEST
Looking at your gdb output, it appears that you have hand-applied the patch and not removed the lines that were supposed to be deleted:

> -         if (parse_user_host_path(*argv, &user, &host,
> -             &file1) == -1) {

is supposed to be gone, but your gdb output includes it:

> (gdb) list 2500
> 2495                            break;
> 2496                    default:
> 2497                            if (parse_user_host_path(*argv, &user, &host,
> 2498                                &file1) == 0)

I think this is why it isn't working for you.
Comment 19 Damien Miller 2019-08-09 15:17:54 AEST
Darren's patch was committed in June and will be included in OpenSSH 8.1, due soon.
Comment 20 Damien Miller 2020-02-14 15:59:21 AEDT
Closing all resolved bug with release of openssh-8.2