SSH auth error ( known_host is updated unconditionally )
Closed this issue ยท 13 comments
When I try to connect to my ssh server via sftp I'm getting an error and can see this log entry on server side:
Feb 22 04:30:37 sshd: error: Received disconnect from x.x.x.x port xxxxx:9: Could not verify 'ssh-ed25519' host key with fingerprint 'xxx' for 'hostname' on port 2222 [preauth]
While connecting a dialog box with "unknown host key" appears, but pressing Accept doesn't change anything.
Edit: Have seen some sftp related commits after the release of 1.0.0, so the problem may already be fixed?
Hi, what Android version are you using? I remember I once had similar issues with Kitkat... definitely this seems a SSHJ-related issue, so you may also have a search in the SSHJ issue page here. The sftp-related commits are for showing detailed progress, so I'm pretty sure they are unrelated to this.
I'm using LineageOS 15.1, so Android 8.1 or Oreo.
My OpenSSH is the recent version 7.9p1 configured on the basis of the "modern" guidelines of the Mozilla security guidelines from https://infosec.mozilla.org/guidelines/
ConnectBot is working well with this configuration.
Will have a look at the SSHJ issues soon.
Thanks for the great work, I love so called orthodox file managers, like Norton Commander. ๐
I'm not able to reproduce the issue, I tried connecting both from an Android-x86 8.1 VM and from an Android 6 smartphone to a Linux SSH server, with explicit host key verification limited to ed22519. The expected behaviour is that, for the first connection to an unknown SSH server, once pressed Accept, the app will add it in its known_hosts file, try reconnect and load the remote file list, which you should find at the end. I have the same verification error in my sshd log, but I manage to connect anyway (I suspect verification outcome is ignored, will have to check this anyway).
Just found out, the key gets added every time when I press accept. Even if I delete the known_hosts its behaviour is like this.
The file looks like this:
my.full.domain ssh-ed25519 KeyValue
my.full.domain ssh-ed25519 KeyValue
my.full.domain ssh-ed25519 KeyValue
my.full.domain ssh-ed25519 KeyValue
my.full.domain ssh-ed25519 KeyValue
Sorry, but I still don't manage to cause the behaviour you describe. I need more information, e.g. some logcat starting from a clean installation or similar... The method responsible for adding host keys to known_hosts preliminarily checks that the given key exists in the file, so the problem may be due to some weird scenario I'm not aware of.
Thank you for diving into it. ๐
I uninstalled xfiles and reinstalled it, then tried again the sftp content, same error, here the log:
https://ghostbin.com/paste/xj8o5
I see a "getChannel error" in your logcat, due to a generic IOException, which may only be thrown from a InteractiveHostKeyVerifier constructor, a loadKeys() method, and a connect() method... That makes me suspect that there could be some problem with the access to the known_hosts file, and that the problem doesn't depend on the hostkey algorithm used (ed25519). I encourage you to try connecting to another OpenSSH server with rsa or dsa host key in order to verify this, and/or connecting to the same OpenSSH server from another Android device. One last question: are you trying connecting using password or public key authentication?
I'm on holiday so I could only do a short test via VPN to my OpenWRT router which has DropBear and RSA key change.
Same problem:
02-26 20:03:43.713 E/KeyExchanger(10982): Disconnecting because none of the configured Host key verifiers ([it.pgp.xfiles.sftpclient.InteractiveHostKeyVerifier@f5e4eca]) could verify 'ssh-rsa' host key with fingerprint xxxxx for hostname:2222
I use public key authentication on my laptop, but on my phone I'm using password authentication only.
Cannot reproduce even on physical device + LineageOS, closing for now...
Yes OK, but the bug is still there.
Tested with 1.0.5:
05-15 17:26:12.511 E/KeyExchanger(1611): Disconnecting because none of the configured Host key verifiers ([it.pgp.xfiles.sftpclient.InteractiveHostKeyVerifier@a94bdd4]) could verify 'ssh-rsa' host key with fingerprint 93:74:20:2b:b0:a6:44:19:a7:ae:d0:49:7d:26:48:e7 for 10.10.10.1:2222
Should be fixed now
I'm glad you found the problem, thank you :-)