search

ish-app / ish

Linux shell for iOS
https://ish.app
Other
16.77k stars 879 forks source link

ssh does work, but sftp not working #2075

Open freebrowser1 opened 1 year ago

freebrowser1 commented 1 year ago

This is a really nice app, much like Termux in Android.

But there is one flaw: sftp in an SSH file browser does not work. Probably a 'standard' Linux/SSH issue.

I connected using Forklift on macOS which resulted in an error (screenshot)

Screenshot 2023-04-05 at 22 27 07

.

I changed sshd-config on the iSH server with the help of searching on this issue on internet by adding PubkeyAuthentication yes and changing:

# override default of no subsystems
#Subsystem      sftp    /usr/lib/ssh/sftp-server
Subsystem       sftp    internal-sftp

but to no avail. Obviously I restarted iSH by closing and reopening it on the iPad itself by pressing Ctrl+D and then starting again which automatically starts sshd as I can immediately ssh into iSH again from my Mac.

When I run sftp in verbose mode then the result is:

armemac.local:~/scratch % sftp -v -P 22 root@192.168.0.11            
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/me/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 192.168.0.11 [192.168.0.11] port 22.
debug1: Connection established.
debug1: identity file /Users/me/.ssh/id_rsa type 0
debug1: identity file /Users/me/.ssh/id_rsa-cert type -1
debug1: identity file /Users/me/.ssh/id_ecdsa type -1
debug1: identity file /Users/me/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/me/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/me/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/me/.ssh/id_ed25519 type -1
debug1: identity file /Users/me/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/me/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/me/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/me/.ssh/id_xmss type -1
debug1: identity file /Users/me/.ssh/id_xmss-cert type -1
debug1: identity file /Users/me/.ssh/id_dsa type 1
debug1: identity file /Users/me/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.6
debug1: compat_banner: match: OpenSSH_8.6 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.0.11:22 as 'root'
debug1: load_hostkeys: fopen /Users/me/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:DMet4OKiC2qzSCISNQrElbikS35uALIRhmM1BK6FII0
debug1: load_hostkeys: fopen /Users/me/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '192.168.0.11' is known and matches the ED25519 host key.
debug1: Found key in /Users/me/.ssh/known_hosts:159
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: agent returned 1 keys
debug1: Skipping ssh-dss key /Users/me/.ssh/id_dsa - corresponding algo not in PubkeyAcceptedAlgorithms
debug1: Will attempt key: ecdsa-sha2-nistp256 ECDSA SHA256:xn2CTvLgP6mlJ0+iZ52fvzUS3i5bxMLNvfMfBd9Q4aw agent
debug1: Will attempt key: /Users/me/.ssh/id_rsa RSA SHA256:Mh8uuwZwf0zVhPGPmZ/i7SVHlikZmAleGnj9kphNMts
debug1: Will attempt key: /Users/me/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/me/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /Users/me/.ssh/id_ed25519 
debug1: Will attempt key: /Users/me/.ssh/id_ed25519_sk 
debug1: Will attempt key: /Users/me/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: ecdsa-sha2-nistp256 ECDSA SHA256:xn2CTvLgP6mlJ0+iZ52fvzUS3i5bxMLNvfMfBd9Q4aw agent
debug1: Server accepts key: ecdsa-sha2-nistp256 ECDSA SHA256:xn2CTvLgP6mlJ0+iZ52fvzUS3i5bxMLNvfMfBd9Q4aw agent
Authenticated to 192.168.0.11 ([192.168.0.11]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: filesystem
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: client_input_hostkeys: searching /Users/me/.ssh/known_hosts for 192.168.0.11 / (none)
debug1: client_input_hostkeys: searching /Users/me/.ssh/known_hosts2 for 192.168.0.11 / (none)
debug1: client_input_hostkeys: hostkeys file /Users/me/.ssh/known_hosts2 does not exist
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: channel 0: setting env LC_CTYPE = "UTF-8"
debug1: Sending subsystem: sftp
debug1: client_global_hostkeys_private_confirm: server used untrusted RSA signature algorithm ssh-rsa for key 0, disregarding
Learned new hostkey: ECDSA SHA256:5qJ/Mqnn7rX9cHd24TxMmwALdOYCFYZOuwXMDXToXJk
Adding new key for 192.168.0.11 to /Users/me/.ssh/known_hosts: ecdsa-sha2-nistp256 SHA256:5qJ/Mqnn7rX9cHd24TxMmwALdOYCFYZOuwXMDXToXJk
debug1: update_known_hosts: known hosts file /Users/me/.ssh/known_hosts2 does not exist
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2772, received 3336 bytes, in 0.9 seconds
Bytes per second: sent 3089.3, received 3717.8
debug1: Exit status 255

Adding to ~/.ssh/config

Host 192.168.0.11
    UpdateHostKeys no

does not help, it only leaves out the message debug1: client_global_hostkeys_private_confirm: server used untrusted RSA signature algorithm ssh-rsa for key 0, disregarding .

And why does it ask for known_hosts2 ?

iPadOS version 16.4

From a Debian Linux client a similar RSA key message appears.

wuebbel commented 1 year ago

Same here. The problem is, I believe, that the sftp-server dies immediately after being called. If you call the sftp-server manually, you get:

# /usr/lib/ssh/sftp-server -e
unable to make the process undumpable

...and the sftp server exits immediately. If I get it right, then the relevant prctl is not available. One way out would probably be compiling a suitable sftp server, by changing in sftp_server.c platform_disable_tracing(1); /* strict */ to platform_disable_tracing(0); /* not strict */ Unfortunately, the choice strict/not strict cannot be made with ssh options.

wuebbel commented 1 year ago

Yes. this works.

$ scp out wuebbel@ipad-von-frank-2:
out                                           100%  385KB   1.6MB/s   00:00

The only thing I changed was

iPad-von-Frank-2:~/openssh-portable# grep platform_disable sftp-server.c
        platform_disable_tracing(0);    /* strict */
freebrowser1 commented 1 year ago

@wuebbel: what did you change ? You used an sftp client 'openssh-portable' ?

Does it have to do with that sftp-server uses SHA-1 instead of the usual SHA-2 RSA keys ? If yes, can there be a SHA-2 variant which complies with most usual clients ?

wuebbel commented 1 year ago

@freebrowser1 No. I think you are completely on the wrong track. As I wrote above, call the sftp-server executable directly in ish. If it returns immediately, that is your problem. In this case, you have the option of either convincing the ish developers not to throw an error when an executable tries to protect itself, or compile your own sftp-server. To do the latter, you need to pull the original ssh sources, make the change mentioned above in sftp-server.c, compile, install, and add the newly installed sftp server to sshd_config. Note that by default this installs to /usr/local, so it will not overwrite your existing ssh distribution. Something along the lines of (from my .ash_history)

apk add openssh-sftp-server gcc autoconf git automake musl-dev zlib-dev openssl openssl-dev make
git config --global pack.threads "1"
git clone --depth 10 https://github.com/openssh/openssh-portable.git
cd openssh-portable
vi sftp-server.c
autoreconf
./configure
make
make install
vi /etc/ssh/sshd_config

Note that this will install a newer version of ssh, but it seems to work anyway.

freebrowser1 commented 1 year ago

Thanks for your effort, but it did not work.

apk add openssh-sftp-server gcc autoconf git automake musl-dev zlib-dev openssl openssl-dev make
git config --global pack.threads "1"
git clone --depth 10 https://github.com/openssh/openssh-portable.git
cd openssh/portable

Appeared to be openssh-portable

vi sftp-server.c

What should be changed here ?

./configure

This does not exist but there is a ./configure.ac.

make
make install
vi /etc/ssh/sshd_config
wuebbel commented 1 year ago

@freebrowser1 Change the line I mentioned in the first post.

by changing in sftp_server.c

` platform_disable_tracing(1); / strict /

to

platform_disable_tracing(0); /* not strict */

I missed an "autoreconf" in my .ash_history. You'd better follow the instructions in the git, though. I'll add the autoreconf to my instructions.

freebrowser1 commented 1 year ago

@wuebbel Thanks. Yesterday I forgot to run autoreconf and now I did everything again, using these commands:

apk add openssh-sftp-server gcc autoconf git automake musl-dev zlib-dev openssl openssl-dev make
git config --global pack.threads "1"
git clone --depth 10 https://github.com/openssh/openssh-portable.git
cd openssh-portable
vi sftp-server.c
autoreconf
./configure
make
make install

It compiled until make install which did compile several files but errored out at:

_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/local/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-sk-client.c -o ssh-sk-client.o
cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect2.o mux.o ssh-sk-client.o -L. -Lopenbsd-compat/  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie  -lssh -lopenbsd-compat   -lcrypto  -lz
/usr/lib/gcc/i586-alpine-linux-musl/10.3.1/../../../../i586-alpine-linux-musl/bin/ld: ./libssh.a(sshkey.o):(.data.rel.ro+0x3c): undefined reference to `sshkey_rsa_impl'
/usr/lib/gcc/i586-alpine-linux-musl/10.3.1/../../../../i586-alpine-linux-musl/bin/ld: ./libssh.a(sshkey.o):(.data.rel.ro+0x40): undefined reference to `sshkey_rsa_cert_impl'
/usr/lib/gcc/i586-alpine-linux-musl/10.3.1/../../../../i586-alpine-linux-musl/bin/ld: ./libssh.a(sshkey.o):(.data.rel.ro+0x44): undefined reference to `sshkey_rsa_sha256_impl'
/usr/lib/gcc/i586-alpine-linux-musl/10.3.1/../../../../i586-alpine-linux-musl/bin/ld: ./libssh.a(sshkey.o):(.data.rel.ro+0x48): undefined reference to `sshkey_rsa_sha256_cert_impl'
/usr/lib/gcc/i586-alpine-linux-musl/10.3.1/../../../../i586-alpine-linux-musl/bin/ld: ./libssh.a(sshkey.o):(.data.rel.ro+0x4c): undefined reference to `sshkey_rsa_sha512_impl'
/usr/lib/gcc/i586-alpine-linux-musl/10.3.1/../../../../i586-alpine-linux-musl/bin/ld: ./libssh.a(sshkey.o):(.data.rel.ro+0x50): undefined reference to `sshkey_rsa_sha512_cert_impl'
collect2: error: ld returned 1 exit status
make: *** [Makefile:207: ssh] Error 1

I saw 'i586' as target, it appears that this script is using a cross compiler to an Intel platform. Should this code not be compiled to 'arm64' so that it runs under iSH on iOS ?

khurshid-alam commented 1 year ago

@freebrowser1 Did you file a bug in OpenSSH-portable ? What happens when you use stable branch instead master?