Unable to Connect to my SFTP Server with Public Key

[Argoneon1810]

Usecase

• phone A: a phone at home
  • running sshd with Termux.
• phone B: my daily phone.
  • Connected to the Internet over 5G network, or any other Wi-Fi that isn't the same network as the home one
  • trying to connect to my phone A over material files.

Key setup and test over Termux

1. On phone B, I created rsa key with Termux, and performed ssh-copy-id.
   • command used:

     ssh-keygen -t rsa -b 2048 -f id_rsa
     ssh-copy-id -i id_rsa.pub $username@$remote_ip_address -p $forwarded_port

2. After this, when I do ssh -p $forwarded_port $username@$remote_ip_address, it askes my key's passphrase, and ssh session starts as soon as I type it.

Material Files situation

Ahead of getting in, some names may be injust as it is shown in my home language, but not in English.
Please guess by context.

• Adding remote storage by:
  • Navigation Drawer
  • -> 'Add Storage...' which is with + icon
  • -> 'SFTP Server'
• Contents of each input fields:

Name	Value
Host Name	same as $remote_ip_address
Port	same as $forwarded_port
Path	(empty)
Name	test
Authentication	Public Key
User Name	same as $username
Private Key	id_rsa that I used for Termux testing
Private Key Password	my key's passphrase

Error

java8.nio.file.AccessDeniedException: /:net.schmizz.sshj.sftp.SFTPException: Permission denied

Others

Even with password authentication, it fails. Of course,

~ $ cat ../usr/etc/ssh/sshd_config | grep "Password"
PasswordAuthentication yes

For short-term use, Termux sftp is just fine. But for long, CLI isn't the nicest solution I believe. I want to use Material Files's beutiful GUI as my solution.

Would you help me to figure out this situation? Thanks.

[Argoneon1810]

I found out few more info that might help a little bit:

• Samsung's My Files can connect to SFTP storage with password, but not public key
• NeatBytes's Solid Explorer can connect to SFTP storage with password, but not public key
  • difference from Samsung's My Files is that, it doesn't ask me to put a passphrase of my private key, which is weird.
• Termux works on both key and password

[zhanghai]

I can't debug your setup for you, but I think you may try:

1. Looking into adb logcat to see what exactly the error is on the client side; and/or

2. Enabling verbose logging in your sshd and observe the logs when a connection is attempted.

[Argoneon1810]

1. Looking into adb logcat to see what exactly the error is on the client side; and/or

I'm away from my PC, so I tried a wireless debugging using Termux, but it seems this isn't supported. Nothing is being printed.

2. Enabling verbose logging in your sshd and observe the logs when a connection is attempted.

Would you give me some keyword that might be highly probable to cause this issue?

You might already know, but this verbose option is printing tons of logs. And, I am not that knowledged enough to distinguish the real matter among these.

[Argoneon1810]

I am assuming that, since android treats each app as a separate linux user, your app refuses to read or use the rsa key generated from Termux.

In my short research, it should be working, as I gave 644 permission to the id_rsa file. At least it should be readable.

But, since the exception says that this issue is permission related, my guess might be the answer in a small chance? idk for real

[flippette]

I've been having almost the same issue, except instead of Permission denied I'm seeing Exhausted available authentication methods. Again, Termux works just fine.

[kanyi]

ConnectBot generated RSA 4096 bit private key not working. Another ed2559 coded private key, the program is crashing. In the ConnectBot both key working perfectly.

[stevenwalton]

I think I found the issue and unfortunately @zhanghai it will require some modifications from you. (Were you unable to reproduce the issue?)

I was having this issue and (and #1045 ) and I found a solution. If on the server you edit /etc/ssh/sshd_config so that StrictMode No then this works. I do not find this to be an acceptable solution though.

How I figured it out

I thought about what @zhanghai was saying with the file permissions and I was trying to change them and realized that they wouldn't stick. They don't even change if I create the file ***from*** MaterialFiles and I can't change the file's ownership. But if I changed the permissions of the key in my termux and ssh'd I'd be hit with a message ```bash @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0664 for '/data/data/com.termux/files/home/.ssh/private_key' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "/data/data/com.termux/files/home/.ssh/private_key": bad permissions ``` So bingo, that's the issue!

I'm not sure how to actually solve this (I know nothing about app dev), but perhaps you can have a user paste in a key (or read from a file and do the same thing) and then write that key to the app's private directory and set permissions to 600? A simple functionality to import (and delete!) private keys seems like it would likely solve this issue.

(Edit: updates to add newlines in dropdown to make markdown actually format properly)

[zhanghai]

perhaps you can have a user paste in a key (or read from a file and do the same thing)

This is already the only way for you to provide the private key for SFTP connection in Material Files. Material Files doesn't store your key as a standalone file, and doesn't need to do that at all because it's using the SSHJ library instead of executing an SSH command.

[stevenwalton]

Are you unable to reproduce the issue?

I am very happily admitting that I don't know what the solution is, but I'm absolutely confident there is a problem. Trying to reproduce the problem seems pretty simple. Are we just assuming SSHJ solves this or have we verified?

Speaking of SSHJ, are you in fact using version 0.35?! because SSHJ reports that any version less than 0.38 is vulnerable to Terrapin. So this should be updated immediately.

[zhanghai]

Are you unable to reproduce the issue?

Yes, I can connect to my SFTP server perfectly fine.

So this should be updated immediately.

SSHJ requires support for Java 8 since 0.36, so unfortunately the update isn't simple as-is and would break a portion of users.

[stevenwalton]

Yes, I can connect to my SFTP server perfectly fine.

• Is your ssh server running StrictMode?
• What are the permissions on your key? Is it anything but 0600 or 0400?

Additional information:

• Server is running OpenSSH_9.8p1
• key is ed25519

Full reproduction steps.

# open termux
ssh-keygen -t ed25519 -C "foo@foo.com"
# no password
# check permissions are 600 or make it
cp sah_key storage/somewhere/readable/by/MaterialFile/
# permissions should now be 660 and immutable 

Given that StrictMode on server side seems to be a way to produce the error on my end and given that this perfectly aligns with the permissions on the key, I think we can say that this is at least part of the issue. Requiring users to make their server less secure does not seem like an acceptable solution. But this is also why I suspected the key isn't stored in the app's system directory, because then it could control permissions and solve the issue. (If there is a way, without root, for me to access the termux folder I could try that key since it has the correct permissions, but I can't seem to navigate there. It's /data/data/com.termux/files/home. I can mount that location but if I navigate there it will exit your file manager and thus I can't select the key from inside MaterialFile)

SSHJ requires support for Java 8 since 0.36

That's unfortunate. I'm assuming the limited support Java 8 support isn't enough? Perhaps time to consider another solution? But I know that's a big undertaking (I'm certainly not expecting this fix any time soon but it is a serious vulnerability and it appears other apps have solutions)