SFTP: Device does not mount

[DezValT1r]

⚠️ Please Read ⚠️

Summary: The Android App uses a deprecated ssh-rsa host key (upstream issue)

Workaround: Add an exception to ssh_config (instructions)

Describe the bug

Android devices can not be mounted or browsed via SFTP.

Steps To Reproduce:

Try to mount an Android device using the menu item.

Expected behavior

Device should mount and open in Nautilus.

Support Log

ноя 09 21:21:08 gjs[5495]: JS ERROR: SM-A415F: Gio.IOErrorEnum: Сбой подключения _handleMount/</<@/home/dez/.local/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/plugins/sftp.js:253:38 @/home/dez/.local/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/daemon.js:727:17 ноя 09 21:21:08 org.gnome.Shell.Extensions.GSConnect[5495]: [/service/device.js:sendPacket:446]: SM-A415F: { "id": 1636482068837, "type": "kdeconnect.sftp.request", "body": { "startBrowsing": true } } ноя 09 21:21:08 org.gnome.Shell.Extensions.GSConnect[5495]: [/service/device.js:_readLoop:338]: SM-A415F: { "id": 1636482067836, "type": "kdeconnect.sftp", "body": { "ip": "192.168.1.2", "port": 1741, "user": "kdeconnect", "password": "hc1FPbfO0dQ2OwDiUVEb06C3R0jx", "path": "/", "multiPaths": [ "/primary" ], "pathNames": [ "primary" ] } } ноя 09 21:21:09 gjs[5495]: JS ERROR: SM-A415F: Gio.IOErrorEnum: Сбой подключения _handleMount/</<@/home/dez/.local/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/plugins/sftp.js:253:38 @/home/dez/.local/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/daemon.js:727:17

System Details (please complete the following information):

• GSConnect version: 47
  • Installed from: [e.g. GNOME Extensions Website, GitHub, Package Manager, ...]
• GNOME/Shell version: 40,5
• Distro/Release: System: Host: gar-pc Kernel: 5.14.16-zen1-1-zen x86_64 bits: 64 Desktop: GNOME 40.5 Distro: Garuda Linux

GSConnect environment (if applicable):

• Paired Device(s): samsung a41
• KDE Connect app version: 1.17.0
• Plugin(s): [if the issue only occurs when using certain plugin(s)]

Additional Notes:

Add any additional information about the problem or your system.

[abhaypatil2000]

Here is my log file. Looks pretty similar.
gsconnect.log

[andyholmes]

If the connection is just outright failing, it's probably a network configuration error. Anything else there should be a real error, indicating why the connection failed.

GSConnect should only try to wipe old host keys if the connection fails with a host key error (ie. old host key), so to then find that the file doesn't exist at all seems like this is probably a configuration problem with your distribution.

I'm not familiar with Garuda Linux at all, so I'm not sure I can help much more than that, sorry.

[Noobsai]

Same issue: Gio.IOErrorEnum: Connection failed. Arch, gnome 41.1, Samsung S20+, App 1.17.0 I don't how to get detailed information

[DezValT1r]

My distribution has been updated to gnome 41.1, I have removed gsconnect on PC and KDE_connect on phone. Installed it again and paired it. But the mounting did not work. I installed Garuda KDE and Manjaro KDE on the same computer - this function works fine there.

[DezValT1r]

Вот мой лог-файл. Выглядит очень похоже. gsconnect.log

is mounting working for you?

[abhaypatil2000]

If the connection is just outright failing, it's probably a network configuration error. Anything else there should be a real error, indicating why the connection failed.

GSConnect should only try to wipe old host keys if the connection fails with a host key error (ie. old host key), so to then find that the file doesn't exist at all seems like this is probably a configuration problem with your distribution.

I'm not familiar with Garuda Linux at all, so I'm not sure I can help much more than that, sorry.

Earlier it worked on arch linux. When I installed another arch linux image on a different partition, it stopped working. Unfortunately I am unable to access the older arch linux installation, so can't comment whether it still works or not.

[Noobsai]

I tried to connect to SFTP via command line sftp -P 1740 kdeconnect@192.168.88.245 or ssh kdeconnect@192.168.88.245 -p 1740

Unable to negotiate with 192.168.88.245 port 1740: no matching host key type found. Their offer: ssh-rsa
Connection closed.  
Connection closed

I found a solution after some searching: Add to the ~/.ssh/config this lines:

Host 192.168.*.*
  HostKeyAlgorithms +ssh-rsa

After that the mounting works again.

Update 1: I have openssh 8.8p1 which has disabled the ssh-rsa. https://www.openssh.com/txt/release-8.7

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Update 2: Related bug for KDE Connect Android app Bug 443155 kdeconnect breaks when openssh is upgraded to version 8.8p1-1

[doppelhelix]

Thank you @Noobsai This works!

[abhaypatil2000]

I found a solution after some searching: Add to the ~/.ssh/config this lines:

Host 192.168.88.*
  HostKeyAlgorithms +ssh-rsa

After that the mounting works again.

Yeah this works

[DezValT1r]

I tried to connect to SFTP via command line sftp -P 1740 kdeconnect@192.168.88.245 or ssh kdeconnect@192.168.88.245 -p 1740

Unable to negotiate with 192.168.88.245 port 1740: no matching host key type found. Their offer: ssh-rsa
Connection closed.  
Connection closed

I found a solution after some searching: Add to the ~/.ssh/config this lines:

Host 192.168.88.*
  HostKeyAlgorithms +ssh-rsa

After that the mounting works again.

Update 1: I have openssh 8.8p1 which has disabled the ssh-rsa. https://www.openssh.com/txt/release-8.7

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Update 2: Related bug for KDE Connect Android app Bug 443155 kdeconnect breaks when openssh is upgraded to version 8.8p1-1

Thank you very much for your research! Hooray, the mounting is working again!

[canbeardig]

Didn't work for me. I created the config file and added the lines but still can't mount.

[DezValT1r]

Didn't work for me. I created the config file and added the lines but still can't mount.

No need to create a config file, I just added this: Host 192.168.x.x HostKeyAlgorithms +ssh-rsa to an existing file, which is located here: /etc/ssh/ssh_config

[canbeardig]

Didn't work for me. I created the config file and added the lines but still can't mount.

No need to create a config file, I just added this: Host 192.168.x.x HostKeyAlgorithms +ssh-rsa to an existing file, which is located here: /etc/ssh/ssh_config

By looking at the original solution, I thought I was supposed to edit or create a config file in the home directory. But I did what you suggested and now it works. Thanks a lot.

[DanMeadWasTaken]

I'm not super knowledgeable about this stuff, but I've tried both versions of the solution in this thread, neither have worked for me. i am having the exact same issue. I even figured maybe the host part was supposed to be my IP, so i tried changing it to that, I've tried all four versions (the two above with the original text and with my ip) in the bottom and the towards the top of the config file.

basically, I've tried every version of the solution given i could think of based on my little knowledge gained from playing around with linux this past month. But i haven't been able to fix it, i'm sure i'm just missing something that is probably really obvious to more knowledgeable people. so some help would be much appreciated.

i'm using gnome 41.1 on Manjaro linux 86x_64, openssh8.8p1-1, and gsconnect 48-1

[andyholmes]

The host is the remote host, in this case I would assume your Android phone.

Unless you're worried about someone sneaking a supercomputer onto your LAN I would just use a glob pattern like 192.168.0.* or whatever your subnet is. Picking a specific IP will be problematic if you're letting DHCP choose your IPs for you.

Like a lot of software, ssh will check in order the user configuration (~/.ssh/config) then the system configuration (/etc/ssh/ssh_config). You should probably only pick one to add the exception to, so as to avoid any possible conflicts. Personally, I would choose the user configuration file, even though you may have to create it and logout/login for it to take effect. It's up to you though.

[DanMeadWasTaken]

okay, this makes some more sense. So, i had actually tried just searching for the user configuration, but i could find no such file, although i did find the system configuration, and thus had been just adding it to that. Do you possibly have a link to how to find my subnet in the case that the glob pattern doesn't work?

So, probably a stupid question then, but i'm guessing based off past experience that the .ssh folder is supposed to be within the home directory? and if so, if it's not present, should i create the folder then put the config inside? And if it's not supposed to be there, where would i find it? Again, really new to this stuff, I've actually had a lot of fun figuring out Linux, but there are still a lot of things i do not know.

[canbeardig]

okay, this makes some more sense. So, i had actually tried just searching for the user configuration, but i could find no such file, although i did find the system configuration, and thus had been just adding it to that. Do you possibly have a link to how to find my subnet in the case that the glob pattern doesn't work?

So, probably a stupid question then, but i'm guessing based off past experience that the .ssh folder is supposed to be within the home directory? and if so, if it's not present, should i create the folder then put the config inside? And if it's not supposed to be there, where would i find it? Again, really new to this stuff, I've actually had a lot of fun figuring out Linux, but there are still a lot of things i do not know.

The config file didn't exist in my home directory. But adding these lines to /etc/ssh/ssh_config did solve the problem:

Host 192.168.*.* HostKeyAlgorithms +ssh-rsa

[DanMeadWasTaken]

alright, now a new stupid question... honestly i figured out why i wasn't seeing the other file, it was because i was searching from within something else. so now i did find the etc/ssh/ssh_config vs whatever i was apparently changing before with the same name... now then, how do i use root to add the bit to it? as i have tried to just access root then cd into it, but it keeps tell me the directory doesn't exist

at this point, i'd love it if someone told me step by step... I've done similar stuff before, but those files were a bit easier to find and had a step-by-step guide on how to do it. So treat me like i'm five, just as long as it makes some sense to someone who knows next to nothing

EDIT: to explain the multiple files part, it turns out i was searching from home - which was giving me 2 files within the flatpack folder, which has the same exact text as the one within the /etc/ssh/ folder. but those two did nothing when changed, and I've not much of an idea of how to edit the /etc/ssh/ssh_config one, which seems to be the one i need to edit

[DanMeadWasTaken]

scratch that, a quick google search told me how to edit files as root, thankyou guys though! wish i'd known about gedit before... i wouldn't have had to manually count 123 lines of code that one time for ani-cli

[canbeardig]

alright, now a new stupid question... honestly i figured out why i wasn't seeing the other file, it was because i was searching from within something else. so now i did find the etc/ssh/ssh_config vs whatever i was apparently changing before with the same name... now then, how do i use root to add the bit to it? as i have tried to just access root then cd into it, but it keeps tell me the directory doesn't exist

at this point, i'd love it if someone told me step by step... I've done similar stuff before, but those files were a bit easier to find and had a step-by-step guide on how to do it. So treat me like i'm five, just as long as it makes some sense to someone who knows next to nothing

You can right click and Edit as Root/Administrator. Enter your password, open the file, add the lines and save. Not Save As though just Save.

[DanMeadWasTaken]

i know this is a bit innapropriate to waste space on, but you wouldn't be able to imagine the yell of happiness and the fist pump i just did into the air at finally getting this working.... i've tried other things for accessing my files on android, of which didn't work, so working on this for days... earlier found out that since my pc was plugged into the modem and not the router, they were on different networks... felt like an idiot... now to find out i was editing the wrong file for the past, like 6 or so hours.... god i am so happy to have this working

[andyholmes]

For your future reference the tilde (~) is a "shell expansion" that the shell/terminal will automatically replace with the home directory for the current user (ie. ~/foo will expand to /home/username/foo). It's pretty common for people to just use ~/something to refer to the home directory even when they're not talking about shell commands.

[ericktucto]

I tried to connect to SFTP via command line sftp -P 1740 kdeconnect@192.168.88.245 or ssh kdeconnect@192.168.88.245 -p 1740

Unable to negotiate with 192.168.88.245 port 1740: no matching host key type found. Their offer: ssh-rsa
Connection closed.  
Connection closed

I found a solution after some searching: Add to the ~/.ssh/config this lines:

Host 192.168.88.*
  HostKeyAlgorithms +ssh-rsa

After that the mounting works again.

Update 1: I have openssh 8.8p1 which has disabled the ssh-rsa. https://www.openssh.com/txt/release-8.7

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Update 2: Related bug for KDE Connect Android app Bug 443155 kdeconnect breaks when openssh is upgraded to version 8.8p1-1

It doesn't work for me, I have the following error

[ericktucto]

the ip of my cell phone was 192.168.0.15, for that reason it did not work for me, to know the ip of your cell phone it is necessary to go to the settings and look for the IP address option

[raffaem]

Ignore this message ... I just had to allow permissions in the KDE Connect app on my tablet

[jwich71]

I tried to connect to SFTP via command line sftp -P 1740 kdeconnect@192.168.88.245 or ssh kdeconnect@192.168.88.245 -p 1740

Unable to negotiate with 192.168.88.245 port 1740: no matching host key type found. Their offer: ssh-rsa
Connection closed.  
Connection closed

I found a solution after some searching: Add to the ~/.ssh/config this lines:

Host 192.168.88.*
  HostKeyAlgorithms +ssh-rsa

After that the mounting works again.

Update 1: I have openssh 8.8p1 which has disabled the ssh-rsa. https://www.openssh.com/txt/release-8.7

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Update 2: Related bug for KDE Connect Android app Bug 443155 kdeconnect breaks when openssh is upgraded to version 8.8p1-1

Great hint! Worked also for me after Fedora 36 upgrade. Thanks a lot for sharing! ;) But don't forget to set permissions for ~/.ssh/config to 600

[DezValT1r]

The problem is back again, the previously used method does not work. Any ideas? Kernel: 5.18.5-zen1-1-zen arch: x86_64 bits: 64 Desktop: GNOME v: 42.2 Distro: Garuda Linux sudo pamac info openssh name : openssh version : 9.0p1-1

[daught1]

I went through this with a bunch of senseless reboots. Running openssh 9.0p1-1

In /etc/ssh/ssh_config I have

Host 192.168.1.*
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

sftp -P 1740 kdeconnect@192.168.x.x should connect to the phone. Mine was connecting but gsconnect was not mounting. In the end it turned out I had to restart the phone.

[DezValT1r]

Я прошел через это с кучей бессмысленных перезагрузок. Запуск openssh 9.0p1-1

В /etc/ssh/ssh_config у меня есть

Host 192.168.1.*
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

sftp -P 1740 kdeconnect@192.168.x.x следует подключиться к телефону. Мой подключался, но gsconnect не монтировался. В итоге оказалось, что мне пришлось перезагрузить телефон.

Indeed, it is working again. Previously, two lines were enough, but now three lines are needed

Host 192.168.. HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa Thank you very much!

[DezValT1r]

/etc/ssh/ssh_config

Host 192.168.. HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa

[dniku]

So, uh, maybe this should be patched from the side of GS Connect? Having users add extra lines to the SSH config is not perfect UX, although it works as a temporary workaround.

[andyholmes]

This isn't a problem with GSConnect, it's a problem with (some) Android devices using insecure ciphers.

I'm not convinced writing a ssh_config parser that arbitrarily enables insecure ciphers, without user interaction, is going to be much fun or very prudent. If you want to contribute a patch that adds it as an advanced option, I wouldn't be opposed though.

[dniku]

@andyholmes manually patching ssh_config would certainly be imprudent, but perhaps the same could be done by passing options to the ssh (or some other) executable when mounting the phone?

Or is it not GSConnect that is responsible for launching that executable?

[andyholmes]

Or is it not GSConnect that is responsible for launching that executable?

No, GSConnect just delegates mounting to GVfs. GSConnect used to also support using sshfs, but that had other problems; not being installed by default, not being visible in e.g. Nautilus, and no one seems attached to it enough to maintain it.

[dniku]

So the GVfs API does not allow to pass extra ssh parameters? In that case, perhaps this could be transferred to them as a feature request.

[andyholmes]

You can open a request for that here, but the same security issues apply: silently enabling insecure ciphers without user consent is not something I would support. It would still have to be added as an advanced option.

[dniku]

I'm sorry for persistence, but I still don't understand whose bug this is and how it should be fixed.

• GSConnect uses an API call from GVfs, so this is not a fault of GSConnect;
• GVfs does not allow setting custom parameters when adding sshfs mounts;
• Something on the side of Android (the KDEConnect app? some Android libraries?) does not support modern ciphers.

So the bug can be opened:

1. In GVfs, to ask them to implement support for insecure ciphers;
2. Somewhere on the side of Android.

Can this bug be fixed in, e.g., the KDEConnect app?

[andyholmes]

Android, or the SFTP server used by KDE Connect Android, is using insecure cipers. SSH is refusing connections using insecure ciphers.

So this would have to be fixed either by upgrading Android, or the SFTP server it uses.

[dniku]

I encountered this with Android 12 (Samsung firmware). So is it true that the latest version of Android bundles an outdated SFTP server, and this has to be patched in Android (AOSP) itself?

[andyholmes]

Android doesn't bundle an SFTP server as far as I know, but KDE Connect bundles Apache MINA.

[saatvik333]

My OS: PopOS 22.04 My phone: Xiaomi Mi9T Pro

For me, it doesn't work I added these lines in the file /etc/ssh/ssh_config at the bottom

Host 192.168..
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa

Is there anything more that I need to do to be able to mount the Internal Storage of my phone?

[dniku]

It seems https://bugs.kde.org/show_bug.cgi?id=443155 is the most appropriate place to move this discussion to.

[mavit]

Disappointingly, KDE fixed this by re-enabling the insecure public key type in their client rather than enabling a secure public key type in the server.

This being the case, should something be done in the GSConnect UI to make it clearer to the user that mounting is no-longer generally expected to work?

[andyholmes]

That is unfortunate. It think it might be related to the span of Android versions they still guarantee to support, which might require a lower version of Apache MINA.

It's probably safe to assume that everyone is connecting to an Android device, so adding an unconditional notice seems reasonable. I don't think GVfs will pass through an original error code anyways, so it's probably not possible to detect dynamically.

Any thoughts on the best UX for this? I'm not sure there's an obvious place for people to look in the application or preferences. Maybe one of those "Don't tell me again" dialogs, possibly triggered by any SSH failure?

[jvalecillos]

I stumbled on this issue today after reading the whole thread, the comments above and the latest entries in the bug report here, it looks like the problem will persist until it is fixed on the Android app.

Perhaps this PR upstream will solve the problem: Draft: Use Elliptic Curve encryption instead of RSA

Food for thought: If GSConnect is a full re-implementation for the Desktop app, someone might as well create their own Android app with the updated dependencies.

[rockiger]

Food for thought: If GSConnect is a full re-implementation for the Desktop app, someone might as well create their own Android app with the updated dependencies.

Please don't. Forking should only be a last resort. Better try to help KDE Connect's mobile app.

[pvagner]

Hello, It turns out this issue has changed. I have installed KDE Connect 1.29.0 from F-Droid, paired the devices and now when trying to mount I do receive error saying You don't have permission to access files on sftp://192.168.0.140:1740/ If I run ssh kdeconnect@192.168.0.140 -p 1740 I am not receiving host key verification error, instead I am prompted for the password. So it appears host verification is working however I don't know how to debug it further. On android side all the permissions are granted.

[joshcangit]

@pvagner Reason why it says "You don't have permission to access" is because it is accessing / instead of /storage/emulated/0. Have to type in the path manually to get it to work. Maybe a different issue since this is after successfully mounting the device.

[danroxha]

I've read the KDE Connection Android app code, and I noticed that KDE Connection sends multiple paths, but GSConnect only mounts the root directory; Here: https://github.com/GSConnect/gnome-shell-extension-gsconnect/blob/d2a865ad41c258e8b04a0e92bb3112d810aae92d/src/service/plugins/sftp.js#L228

KDE Connection Android: https://github.com/KDE/kdeconnect-android/blob/6e4a5c367b330dfd90868d9729f8bdeef8a3902f/src/org/kde/kdeconnect/Plugins/SftpPlugin/SftpPlugin.java#L168

As this is my first contact with these code bases, I haven't gone any further, I may be wrong on the points I mentioned.

[pvagner]

The FTP plugin of the android app has no settings since android 10. Thus at the android side of the setup it is not possible to configure SFTP server path. If the device has more than a single storage it returns multiple paths. For clients that don't support multiple paths it falls back to the single path "/". And I guess this is a GSConnect situation here. What the GSConnect response to this might look like? Should it attempts mounting all the paths? Perhaps more sane default at the android app side of things would be to expose the internal storage path as the single path fallback rather than plain "/".