ashkulz / NppFTP

Plugin for Notepad++ allowing FTP, FTPS, FTPES and SFTP communications
https://ashkulz.github.io/NppFTP/
322 stars 93 forks source link

NppFTP can no longer connect to hosts that only support ssh-rsa. OpenSSH can connect. #348

Open Ben-Voris opened 2 years ago

Ben-Voris commented 2 years ago

Description of the Issue

Cannot connect to a sftp server that offers only ssh-rsa.

OpenSSH can connect to such a host.

Steps to Reproduce the Issue

  1. Connect to a sftp host that offers only ssh-rsa for private key
  2. Note the error

Expected Behavior

sftp plugin should honor the ssh config file. This allows allows one to configure

Actual Behavior

Connection is rejected.

NppFTP Output

[SFTP] Connection failed : kex error : no match for method server host key algo: server [ssh-rsa], client [rsa-sha2-512,rsa-sha2-256,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256]

Debug Information

Notepad++ v8.4.6   (64-bit)
Build time : Sep 25 2022 - 19:51:39
Path : C:\Program Files\Notepad++\notepad++.exe
Command Line : 
Admin mode : OFF
Local Conf mode : OFF
Cloud Config : OFF
OS Name : Windows 10 Enterprise (64-bit) 
OS Version : 20H2
OS Build : 19042.2006
Current ANSI codepage : 1252
Plugins : 
    ComparePlugin (2.0.2)
    DSpellCheck (1.4.24)
    JsonTools (3.2)
    MarkdownViewerPlusPlus (0.8.2)
    mimeTools (2.8)
    NppConverter (4.4)
    NppExec (0.8.2)
    NppExport (0.4)
    NppFTP (0.29.10)
    NppGist (1.5.1.35)
    NppSaveAsAdmin (1.0.211)
    XMLTools (3.1.1.13)
    zoomdisabler_x64 (1.2)
    _CustomizeToolbar (5.3)

NppFTPversion: 0.29.10 Unicode with libssh version 0.10.0

Cygwin and Ubuntu sftp work with a host like this because they honor the ~/.ssh/config file which, for a host like this, contains

Host host-name
    HostKeyAlgorithms +ssh-rsa
    PubkeyAcceptedKeyTypes +ssh-rsa

For example:

sftp -v user@host OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/user/.ssh/config ... debug1: Authenticating to host:22 as 'user' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-rsa ... debug1: Offering public key: /home/user/.ssh/id_rsa RSA SHA256:/wbB/... debug1: Server accepts key: /home/user/.ssh/id_rsa RSA SHA256:/wbB/... debug1: Authentication succeeded (publickey).

Ben-Voris commented 2 years ago

"About NppFTP" reports a libssh version. But the version number makes me wonder if NppFTP uses libssh2, not libssh. The two are completely different.

If NppFTP uses libssh2, please change "About NppFTP" to reflect that.

libssh offers ssh_options_parse_config().

For libssh2, this might be interesting libssh2 APIs to configure different algorithms

chcg commented 2 years ago

See https://github.com/ashkulz/NppFTP/blob/master/build_3rdparty.py#L91 on usage of libssh.

Could you please check if https://github.com/ashkulz/NppFTP/releases/tag/v0.29.11 fixes your problem.

If this is not the case, see

https://www.libssh.org/2022/08/26/libssh-0-10-0/

for RSA there are some changes:

Maybe the problem arises from that. In this case it would be helpful to known if the plugin version v0.29.9 before the change to libssh 0.10.x is still working.

Ben-Voris commented 2 years ago

I overwrite the contents of "%ProgramFiles%\Notepad++\plugins\NppFTP" with the files from https://github.com/ashkulz/NppFTP/releases/download/v0.29.11/NppFTP-x86.zip. After doing that, "About NppFTP" shows "0.29.11 Unicode".

This release does not revolve the problem.

The keys I must use are in a format that later OpenSSH releases do not accept by default. This is why I have the entries in ~/.ssh/config that I show above.

Since you are using libssh, ssh_options_parse_config() appears to be an option.

https://github.com/ashkulz/NppFTP/releases/tag/v0.27.6 works with the keys I have.

Ben-Voris commented 2 years ago

Also, see https://github.com/ashkulz/NppFTP/issues/34

Parsnip commented 2 years ago

Seems I have the same issue over here, and rolling back to v0.29.9 fixed it.

iwl commented 1 year ago

I can't connect with dsa either, same key which worked all the time and still works with cygwin where it's from. So I fiddled with some rsa type and the keys from linux sub system, nothing works.... https://github.com/ashkulz/NppFTP/releases/tag/v0.29.9 works for me also

sargearmstrong commented 1 year ago

I confirm (without having tested other versions) that this issue is not present in version 0.30.12 unicode. Discovered by accident so thought I'd share. Thanks.

Parsnip commented 1 year ago

I confirm (without having tested other versions) that this issue is not present in version 0.30.12 unicode. Discovered by accident so thought I'd share. Thanks.

I'd guess that's expected since that version is still using the older libssh version.

Currently the last versions not experiencing this issue are v0.29.9 and pre-release v0.30.13.

TikursewMe commented 1 year ago

I can't connect with dsa either, same key which worked all the time and still works with cygwin where it's from. So I fiddled with some rsa type and the keys from linux sub system, nothing works.... https://github.com/ashkulz/NppFTP/releases/tag/v0.29.9 works for me also

Thanks this worked for me as well. something wrong with the latest version

chcg commented 1 year ago

See https://stackoverflow.com/questions/76572797/libssh-public-key-authentication-failed-the-key-algorithm-ssh-rsa-is-not-all . ssh-rsa seems to be using insecure sha1 and therefore likely disabled by libssh:

ssh-rsa is deprecated for a reason though, because it uses the insecure SHA-1 hash algorithm. If you need to connect to an old system that runs an OpenSSL version before 7.2 (when the rsa-sha2-* algorithms were introduced), then ssh-rsa is the only way you can do public key authentication against such a system, so you kind of have not much of a choice.

Ben-Voris commented 1 year ago

Because many hosts cannot be updated, OpenSSH allows one to override that setting.On Jul 12, 2023, at 13:00, chcg @.***> wrote: See https://stackoverflow.com/questions/76572797/libssh-public-key-authentication-failed-the-key-algorithm-ssh-rsa-is-not-all . ssh-rsa seems to be using insecure sha1 and therefore likely disabled by libssh:

ssh-rsa is deprecated for a reason though, because it uses the insecure SHA-1 hash algorithm. If you need to connect to an old system that runs an OpenSSL version before 7.2 (when the rsa-sha2-* algorithms were introduced), then ssh-rsa is the only way you can do public key authentication against such a system, so you kind of have not much of a choice.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

vrubleg commented 8 months ago

Had the same issue on NppFTP v1.29.13, had to roll back to v0.29.9. Thanks for the suggestion.