I cannot get rclone sftp to connect to our local linux systems. We use our kerberos cell for passwords. We also use duo for two factor auth but am not even getting that far.
I can connect by normal sftp <hostname>
What is your rclone version (output from rclone version)
rclone v1.49.1
Which OS you are using and how many bits (eg Windows 7, 64 bit)
centos 7 64 bit
Which cloud storage system are you using? (eg Google Drive)
No luck, same behavior with 1.51, also SSH keys are disabled on this system.
I should clarify with the kerberos. Were not using tokens, we use pam_kerb to verify passwords much like how someone would use AD or other directory to replace local password hashes.
ssh <hostname> #Enter password
Works just fine
2020/04/01 13:42:04 DEBUG : rclone: Version "v1.51.0" starting with parameters ["rclone" "ls" "--sftp-ask-password" "-vvvvv" "data-den:/nfs/locker"]
2020/04/01 13:42:04 DEBUG : Using config file from "/Users/brockp/.rclone.conf"
Enter SFTP password:
2020/04/01 13:42:09 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain)
Ok actually I was wrong the server does accept public key and that worked on the host that has the special shell SCPONLY setup. (Doesn't allow normal shells to be created).
Still don't understand why the --sftp-ask-password doesn't trigger keyboard-interactive login.
2020/04/01 13:42:09 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: ssh: unable to authenticate, attempted methods [none], no supported methods remain)
So yeah it asks for the password and then just into the fail/retry loop.
Just to close the loop on this. Moved to ssh keys (turns out was supported on the host with scponly shell) and that works.
Still don't know why it doesn't prompt for a password. I think the Kerb is going down the wrong path. Kerb tokens are not used for auth. Pam is reaching out to kerb to auth the password rather than ladap, unixpasswd etc. So to ssh and rclone it should be no different than normal password auth. Strange.
I'd like to follow-up on this question. I would love to see Kerberos support for rclone sftp. This would make it so that passwords don't have to live on the config file at all. Some environments don't permit ssh-keys, so the workaround won't work.
The key question here is support for GSSAPI. If we have GSSAPI support, then Kerberos will work.
When using the ssh command, this is enabled via the -K flag (or setting "GSSAPIAuthentication yes" in the ~/.ssh/config file for the target host). In rsync, this can be done via: 'rsync -e "ssh -K" ...' if the ~/.ssh/config is not set.