Can rclone be made to work with an SFTP server confining users to an SFTP Jail and no login?

Help and Support
1

What is the problem you are having with rclone?

For security reasons, users of an application I am working on use an SFTP server but are not allowed SSH login and are confined to an SFTP Jail. rclone gives me the error messages shown in the log.

Run the command 'rclone version' and share the full output of the command.

C:\Users\justme>rclone version
rclone v1.65.2
- os/version: Microsoft Windows 10 Home 22H2 (64 bit)
- os/kernel: 10.0.19045.4046 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.21.6
- go/linking: static
- go/tags: cmount

C:\Users\justme>

Which cloud storage system are you using? (eg Google Drive)

None. I am using my own SFTP server on Ubuntu 22.04.

The command you were trying to run (eg rclone copy /tmp remote:tmp)

C:\Users\justme>rclone mount fort_tu1_new_2: Z:  
2024/03/06 10:45:23 NOTICE: fort_tu1_new_2: --sftp-ssh is in use - ignoring user/host/port from config - set in the parameters to --sftp-ssh (remove them from the config to silence this warning)
2024/03/06 10:46:45 Failed to create file system for "fort_tu1_new_2:": NewFs: couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF

C:\Users\justme>

Please run 'rclone config redacted' and share the full output. If you get

[fort_tu1]
type = sftp
host = 208.113.134.46
user = tu1
key_pem = C:\Users\justme\.ssh\id_ed25519_tu1.pem
ssh = ssh -i C:\Users\justme\.ssh\id_ed25519_tu1.pem tu1@208.113.134.46
known_hosts_file = C:\Users\justme\.ssh\known_hosts
shell_type = none
skip_links = true
idle_timeout = 10m0s

[fort_tu1_new]
type = sftp
host = 208.113.134.46
user = tu1
key_file = C:\Users\justme\.ssh\id_ed25519_tu1
ssh = ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46
shell_type = none
skip_links = true
idle_timeout = 10m0s

[fort_tu1_new_2]
type = sftp
host = 208.113.134.46
user = tu1
key_file = C:\Users\justme\.ssh\id_ed25519_tu1
ssh = ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46
idle_timeout = 10m0s

A log from the command that you were trying to run with the -vv flag

C:\Users\justme>rclone mount fort_tu1_new_2: Z:  -vv
2024/03/06 11:28:12 DEBUG : rclone: Version "v1.65.2" starting with parameters ["rclone" "mount" "fort_tu1_new_2:" "Z:" "-vv"]
2024/03/06 11:28:12 DEBUG : Creating backend with remote "fort_tu1_new_2:"
2024/03/06 11:28:12 DEBUG : Using config file from "C:\\Users\\justme\\Desktop\\rclone\\rclone.conf"
2024/03/06 11:28:12 NOTICE: fort_tu1_new_2: --sftp-ssh is in use - ignoring user/host/port from config - set in the parameters to --sftp-ssh (remove them from the config to silence this warning)
2024/03/06 11:28:12 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:28:12 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:28:21 DEBUG : pacer: low level retry 1/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:28:21 DEBUG : pacer: Rate limited, increasing sleep to 200ms
2024/03/06 11:28:21 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:28:21 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:28:29 DEBUG : pacer: low level retry 2/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:28:29 DEBUG : pacer: Rate limited, increasing sleep to 400ms
2024/03/06 11:28:29 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:28:29 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:28:37 DEBUG : pacer: low level retry 3/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:28:37 DEBUG : pacer: Rate limited, increasing sleep to 800ms
2024/03/06 11:28:37 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:28:37 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:28:45 DEBUG : pacer: low level retry 4/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:28:45 DEBUG : pacer: Rate limited, increasing sleep to 1.6s
2024/03/06 11:28:45 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:28:45 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:28:53 DEBUG : pacer: low level retry 5/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:28:53 DEBUG : pacer: Rate limited, increasing sleep to 2s
2024/03/06 11:28:53 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:28:53 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:29:02 DEBUG : pacer: low level retry 6/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:29:02 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:29:02 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:29:10 DEBUG : pacer: low level retry 7/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:29:10 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:29:10 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:29:18 DEBUG : pacer: low level retry 8/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:29:18 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:29:18 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:29:26 DEBUG : pacer: low level retry 9/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:29:26 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: creating additional session
2024/03/06 11:29:26 DEBUG : sftp://tu1@208.113.134.46:22/: ssh external: running: ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46 -s sftp
2024/03/06 11:29:34 DEBUG : pacer: low level retry 10/10 (error couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF)
2024/03/06 11:29:34 Failed to create file system for "fort_tu1_new_2:": NewFs: couldn't initialise SFTP: error receiving version packet from server: server unexpectedly closed connection: unexpected EOF

C:\Users\justme>

The SFTP server allows SFTP with no SSH login and users are in an SFTP Jail. This is what happens if the user tries to do an SSH login

C:\Users\justme>ssh  -i C:\Users\justme\.ssh\id_ed25519_tu1 tu1@208.113.134.46
This service allows sftp connections only.
Connection to 208.113.134.46 closed.

C:\Users\justme>

It looks to me like rclone needs to do ssh login. If that is the case then rclone will not work for my application. For security reasons, users are not allowed ssh login and are confined to an SFTP Jail. Can rclone working with SFTP jailed users be made to work without SSH login? Please advise.

2

Just to give this thread a proper ending, I found that to prevent the remote from attempting ssh login, the line "ssh = " in the config must not show an ssh command or else the remote will attempt ssh login even though there is "shell_type = none".

1 Like
3

Would you mind to update rclone docs with this clarification? It is not something everybody experience but is priceless when needed IMO

I think it would be great to add this to to:

here:

click edit (pen icon) -> create fork -> edit -> submit PR

or maybe in "Limitations"..?

4

It does not look to me like these are proper places where to put it. Putting it there will probably disrupt the flow. Perhaps it should be placed where the config "ssh = " and "shell_type = " are explained.

The following paragraph in the documentation page SFTP

Rclone tries to auto-detect what type of shell is used on the server, first time you access the SFTP remote. If a remote shell session is successfully created, it will look for indications that it is CMD or PowerShell, with fall-back to Unix if not something else is detected. If unable to even create a remote shell session, then shell command execution will be disabled entirely. The result is stored in the SFTP remote configuration, in option `shell_type`, so that the auto-detection only have to be performed once. If you manually set a value for this option before first run, the auto-detection will be skipped, and if you set a different value later this will override any existing. Value `none` can be set to avoid any attempts at executing shell commands, e.g. if this is not allowed on the server.

should probably be altered to become:

Rclone tries to auto-detect what type of shell is used on the server, first time you access the SFTP remote. If a remote shell session is successfully created, it will look for indications that it is CMD or PowerShell, with fall-back to Unix if not something else is detected. If unable to even create a remote shell session, then shell command execution will be disabled entirely. The result is stored in the SFTP remote configuration, in option `shell_type`, so that the auto-detection only have to be performed once. If you manually set a value for this option before first run, the auto-detection will be skipped, and if you set a different value later this will override any existing. Value `none` can be set to avoid any attempts at executing shell commands, e.g. if this is not allowed on the server. However, if you have “shell_type = none” in the configuration then you should not have an ssh command such as “ssh = ssh -i path\ssh_id user@ip-address”, you should have “ssh = “ instead.

Please pull or push a request, I am not set up to do that.

1 Like
5

Thx for experimenting and clarification suggestions.

It has been incorporated into docs now.

6

Looking further down in the same page, there is a paragraph:

The shell type auto-detection logic, described above, means that by default rclone will try to run a shell command the first time a new sftp remote is accessed. If you configure a sftp remote without a config file, e.g. an on the fly remote, rclone will have nowhere to store the result, and it will re-run the command on every access. To avoid this you should explicitly set the shell_type option to the correct value, or to none if you want to prevent rclone from executing any remote shell commands.

Do you think we should add the sentence there too?

7

IMO no need to repeat the same again. But maybe others think different.

8

I agree with you; that second paragraph in it's original form without the new sentence is repeating information. Someone may read it and miss our new sentence. Perhaps something should be done to it.

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.