search

owncloud / core

:cloud: ownCloud web server core (Files, DAV, etc.)
https://owncloud.com
GNU Affero General Public License v3.0
8.33k stars 2.06k forks source link

External Storage does not support SFTP/SSH connections with ciphers EC-Ciphers (Ed25519 / Ed449 / Curve25519 / Curve449, ECDSA / ECDH) [phpseclib] #38353

Open Constey opened 3 years ago

Constey commented 3 years ago
### Steps to reproduce 1. Add an External Storage with SFTP or SSH and modern EC-Ciphers (Ed25519 / Ed449 / Curve25519 / Curve449, ECDSA / ECDH) 2. Error Message appears, Mounting not possible 3. ### Expected behaviour The SFTP/SSH Server should be mounted as external storage and file browsing is available. ### Actual behaviour An Error Message appears, mounting is not possible. Connections to SFTP Servers using older ciphers (RSA for example) works nice. But all modern ciphers based on elliptic curves are not supported. ### Issue comes from: As searching in the logs i've found that the related library is phpseclib. Looking into: "/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php" brings up the supported ciphers: use phpseclib\Crypt\Base; use phpseclib\Crypt\Blowfish; use phpseclib\Crypt\Hash; use phpseclib\Crypt\Random; use phpseclib\Crypt\RC4; use phpseclib\Crypt\Rijndael; use phpseclib\Crypt\RSA; use phpseclib\Crypt\TripleDES; use phpseclib\Crypt\Twofish; use phpseclib\Math\BigInteger; // Used to do Diffie-Hellman key exchange and DSA/RSA signature verification. use phpseclib\System\SSH\Agent; There is a new version of phpseclib in version 3.0 that supports those new ciphers as of: https://github.com/phpseclib/phpseclib / https://github.com/phpseclib/phpseclib/releases Is there any schedule when this gets updated? ### Server configuration **Operating system**: Ubuntu 20.04.1 LTS _ Linux svnextcloud01 5.4.0-64-generic #72-Ubuntu SMP Fri Jan 15 10:27:54 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux **Web server:** nginx version: nginx/1.19.6 **Database:** mariadb **PHP version:** PHP 7.4.14 (cli) (built: Jan 13 2021 08:04:47) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.14, Copyright (c), by Zend Technologies ** OpenSSL Version: ** OpenSSL 1.1.1i 8 Dec 2020 **ownCloud version:** 20.0.5 **Updated from an older ownCloud or fresh install:** fresh install **Where did you install ownCloud from:** nextcloud.com **Signing status (ownCloud 9.0 and above):** all green ``` No errors have been found. ``` **The content of config/config.php:** ``` should be not related ``` **List of activated apps:** External storage support 1.11.1 ``` Enabled: - accessibility: 1.6.0 - activity: 2.13.4 - admin_audit: 1.10.0 - cloud_federation_api: 1.3.0 - comments: 1.10.0 - contactsinteraction: 1.1.0 - dav: 1.16.2 - federatedfilesharing: 1.10.2 - federation: 1.10.1 - files: 1.15.0 - files_external: 1.11.1 - files_pdfviewer: 2.0.1 - files_rightclick: 0.17.0 - files_sharing: 1.12.2 - files_trashbin: 1.10.1 - files_versions: 1.13.0 - files_videoplayer: 1.9.0 - logreader: 2.5.0 - lookup_server_connector: 1.8.0 - nextcloud_announcements: 1.9.0 - notifications: 2.8.0 - oauth2: 1.8.0 - password_policy: 1.10.1 - photos: 1.2.3 - privacy: 1.4.0 - provisioning_api: 1.10.0 - recommendations: 0.8.0 - serverinfo: 1.10.0 - settings: 1.2.0 - sharebymail: 1.10.0 - support: 1.3.0 - systemtags: 1.10.0 - text: 3.1.0 - theming: 1.11.0 - twofactor_backupcodes: 1.9.0 - updatenotification: 1.10.0 - user_ldap: 1.10.2 - user_status: 1.0.1 - viewer: 1.4.0 - weather_status: 1.0.0 - workflowengine: 2.2.0 Disabled: - dashboard - encryption - firstrunwizard - survey_client ``` **Are you using external storage, if yes which one:** SFTP, SSH **Are you using encryption:** yes **Are you using an external user-backend, if yes which one:** not relevant ### Client configuration **Browser:** Google Chrome latest **Operating system:** Windows ### Logs #### Web server error log ``` not relevant ``` #### ownCloud log (data/owncloud.log) ``` {"reqId":"os28vzT8HBzPonUaVWbU","level":3,"time":"2021-01-27T09:30:10+01:00","remoteAddr":"172.23.225.13","user":"admin","app":"PHP","method":"PUT","url":"/apps/files_external/globalstorages/3","message":{"Exception":"Error","Message":"No compatible key exchange algorithms found at /var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php#1537","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":1537,"function":"user_error"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":1288,"function":"_key_exchange","class":"phpseclib\\Net\\SSH2","type":"->"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":4797,"function":"_connect","class":"phpseclib\\Net\\SSH2","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/Lib/Storage/SFTP.php","line":132,"function":"getServerPublicHostKey","class":"phpseclib\\Net\\SSH2","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/Lib/Storage/SFTP.php","line":166,"function":"getConnection","class":"OCA\\Files_External\\Lib\\Storage\\SFTP","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/MountConfig.php","line":264,"function":"test","class":"OCA\\Files_External\\Lib\\Storage\\SFTP","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/Controller/StoragesController.php","line":258,"function":"getBackendStatus","class":"OCA\\Files_External\\MountConfig","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/files_external/lib/Controller/GlobalStoragesController.php","line":180,"function":"updateStorageStatus","class":"OCA\\Files_External\\Controller\\StoragesController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":169,"function":"update","class":"OCA\\Files_External\\Controller\\GlobalStoragesController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":100,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":152,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":309,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1008,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":91,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36","version":"20.0.5.2"} {"reqId":"os28vzT8HBzPonUaVWbU","level":3,"time":"2021-01-27T09:30:10+01:00","remoteAddr":"172.23.225.13","user":"admin","app":"PHP","method":"PUT","url":"/apps/files_external/globalstorages/3","message":{"Exception":"Error","Message":"No compatible key exchange algorithms found at /var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php#1537","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":1537,"function":"user_error"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":1288,"function":"_key_exchange","class":"phpseclib\\Net\\SSH2","type":"->"},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH2.php","line":2141,"function":"_connect","class":"phpseclib\\Net\\SSH2","type":"->"},{"function":"_login","class":"phpseclib\\Net\\SSH2","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/3rdparty/phpseclib/phpseclib/phpseclib/Net/SFTP.php","line":414,"function":"call_user_func_array"},{"file":"/var/www/nextcloud/apps/files_external/lib/Lib/Storage/SFTP.php","line":144,"function":"login","class":"phpseclib\\Net\\SFTP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/files_external/lib/Lib/Storage/SFTP.php","line":166,"function":"getConnection","class":"OCA\\Files_External\\Lib\\Storage\\SFTP","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/MountConfig.php","line":264,"function":"test","class":"OCA\\Files_External\\Lib\\Storage\\SFTP","type":"->"},{"file":"/var/www/nextcloud/apps/files_external/lib/Controller/StoragesController.php","line":258,"function":"getBackendStatus","class":"OCA\\Files_External\\MountConfig","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/files_external/lib/Controller/GlobalStoragesController.php","line":180,"function":"updateStorageStatus","class":"OCA\\Files_External\\Controller\\StoragesController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":169,"function":"update","class":"OCA\\Files_External\\Controller\\GlobalStoragesController","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":100,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":152,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":309,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1008,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":37,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":91,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36","version":"20.0.5.2"} {"reqId":"OiK5Aw3tiCXoem6WULCN","level":0,"time":"2021-01-27T09:30:17+01:00","remoteAddr":"172.23.225.13","user":"admin","app":"contacts","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36","version":"20.0.5.2"} ```
JammingBen commented 3 years ago

There is already a PR regarding the phpseclib upgrade to 3.0.3 (https://github.com/owncloud/core/pull/38251). It's currently in a internal testing process and will probably ship with the new version 10.7. We don't have an exact release date for 10.7 yet, but I guess it will be something around march this year.

terrafrost commented 3 years ago

One thing you could probably do in the meantime: fork owncloud and change their composer.json to require phpseclib/phpseclib2_compat:~1.0 and phpseclib/phpseclib:~3.0.

Depending on how owncloud is using phpseclib/phpseclib:~2.0 that should probably get you all the "advanced cipher" support that 3.0 has!