Sftp connector with kerberos enviornment

Brock_Palen · March 2, 2020, 3:20pm

What is the problem you are having with rclone?

I cannot get rclone sftp to connect to our local linux systems. We use our kerberos cell for passwords. We also use duo for two factor auth but am not even getting that far.

I can connect by normal sftp <hostname>

What is your rclone version (output from `rclone version`)

rclone v1.49.1

Which OS you are using and how many bits (eg Windows 7, 64 bit)

centos 7 64 bit

Which cloud storage system are you using? (eg Google Drive)

sftp

[gl-xfer]
type = sftp
host = <hostname>
use_insecure_cipher = false
disable_hashcheck = true

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

rclone ls --sftp-ask-password -vvvvv gl-xfer:

A log from the command with the `-vv` flag (eg output from `rclone -vv copy /tmp remote:tmp`)

[brockp@gl-login1 ~]$ /tmp/rclone-v1.51.0-linux-amd64/rclone ls --sftp-ask-password -vvvvv gl-xfer:
2020/03/02 10:16:40 DEBUG : rclone: Version "v1.51.0" starting with parameters ["/tmp/rclone-v1.51.0-linux-amd64/rclone" "ls" "--sftp-ask-password" "-vvvvv" "gl-xfer:"]
2020/03/02 10:16:40 DEBUG : Using config file from "/home/brockp/.config/rclone/rclone.conf"
Enter SFTP password: 
2020/03/02 10:16:43 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain)
2020/03/02 10:16:43 DEBUG : pacer: Rate limited, increasing sleep to 200ms

ncw · March 2, 2020, 5:14pm

That looks like the SSH server refused to negotiate with a password.

It would be worth giving the latest release a go to see if that make a difference.

Can you set up an ssh agent?

I don't think the go ssh package support kerboros directly: https://github.com/golang/go/issues/25899

Brock_Palen · April 1, 2020, 5:46pm

No luck, same behavior with 1.51, also SSH keys are disabled on this system.
I should clarify with the kerberos. Were not using tokens, we use pam_kerb to verify passwords much like how someone would use AD or other directory to replace local password hashes.

ssh <hostname>   #Enter password

Works just fine

2020/04/01 13:42:04 DEBUG : rclone: Version "v1.51.0" starting with parameters ["rclone" "ls" "--sftp-ask-password" "-vvvvv" "data-den:/nfs/locker"]
2020/04/01 13:42:04 DEBUG : Using config file from "/Users/brockp/.rclone.conf"
Enter SFTP password: 
2020/04/01 13:42:09 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain)

Brock_Palen · April 1, 2020, 6:09pm

Ok actually I was wrong the server does accept public key and that worked on the host that has the special shell SCPONLY setup. (Doesn't allow normal shells to be created).

Still don't understand why the --sftp-ask-password doesn't trigger keyboard-interactive login.

ncw · April 1, 2020, 8:42pm

It appeared to here? Did that not work?

Brock_Palen · April 1, 2020, 8:55pm

It prompts, but then starts

2020/04/01 13:42:09 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain)


So yeah it asks for the password and then just into the fail/retry loop.

ncw · April 2, 2020, 4:58pm

Ah I see.

From the log the remote end didn't accept password authentication.

Do you have to do something special with kerberos? I will admit to knowing nothing about kerboros at all!

If you run your ssh with the -vvv flag then you might get some idea of what extra ssh is doing over rclone.

Brock_Palen · April 29, 2020, 6:46pm

Just to close the loop on this. Moved to ssh keys (turns out was supported on the host with scponly shell) and that works.

Still don't know why it doesn't prompt for a password. I think the Kerb is going down the wrong path. Kerb tokens are not used for auth. Pam is reaching out to kerb to auth the password rather than ladap, unixpasswd etc. So to ssh and rclone it should be no different than normal password auth. Strange.

ncw · April 30, 2020, 8:00am

It is possible it is something to do with kerberos - I've had reports of problems with rclone sftp and kerberos before...

Anyway, glad you've fixed it!

w8t · June 24, 2020, 8:57pm

I'd like to follow-up on this question. I would love to see Kerberos support for rclone sftp. This would make it so that passwords don't have to live on the config file at all. Some environments don't permit ssh-keys, so the workaround won't work.

The key question here is support for GSSAPI. If we have GSSAPI support, then Kerberos will work.
When using the ssh command, this is enabled via the -K flag (or setting "GSSAPIAuthentication yes" in the ~/.ssh/config file for the target host). In rsync, this can be done via: 'rsync -e "ssh -K" ...' if the ~/.ssh/config is not set.

@ncw is right, this looks like it may already a feature request:
https://github.com/rclone/rclone/issues/3181
https://github.com/golang/go/issues/25899

I hope this does get implemented soon! Thank you.

ncw · June 24, 2020, 9:22pm

There either needs to be a go library for it, or a command line tool that rclone can shell out to as a helper.

Do you think the latter is possible?

system · September 22, 2020, 9:22pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.