Simple SFTP connection fails with EOF

Silver7845 · December 26, 2022, 10:09pm

What is the problem you are having with rclone?

rclone can't connect to my Remarkable 2 device via ssh, though ssh directly works fine. The error message is just error couldn't connect SSH: ssh: handshake failed: EOF.

I've tried:

rclone version from apt and 1.61.1 .deb download from rclone.org
auth with password
auth with RSA 2048 key, passphrase-encrypted and not
auth with ED25519 key, passphrase-encrypted and not
ssh-agent option in rclone enabled and not
interactive mode
replacing /bin/ssh with a script that calls ssh -vvv and logs output to a file
removing the $SSH_AUTH_SOCK env var so I'm sure it's not using the agent.

I'm not sure how to go further, since there is no rclone option to get ssh connection debug logs.

Run the command 'rclone version' and share the full output of the command.

rclone v1.61.1
- os/version: ubuntu 22.10 (64 bit)
- os/kernel: 5.19.0-21-generic (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.19.4
- go/linking: static
- go/tags: none

Which cloud storage system are you using? (eg Google Drive)

SFTP to a Remarkable 2 device. Direct SSH access works fine, with any of my keys or via password. Verbose SSH output tells me Remote protocol version 2.0, remote software version dropbear_2020.81

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

rclone copy /tmp/testing remarkable:/home/root/testing

The rclone config contents with secrets removed.

[remarkable]
type = sftp
host = 10.10.10.121
user = root
pass = XXXXXXXXXXXXXXXXXXXXXXXX

A log from the command with the `-vv` flag

$ rclone -vvv -i copy /tmp/testing remarkable:/home/root/testing

2022/12/26 23:01:06 DEBUG : rclone: Version "v1.61.1" starting with parameters ["rclone" "-vvv" "-i" "copy" "/tmp/testing" "remarkable:/home/root/.local/share/remarkable/xochitl"]
2022/12/26 23:01:06 DEBUG : Creating backend with remote "/tmp/testing"
2022/12/26 23:01:06 DEBUG : Using config file from "/home/ohthehugemanatee/.config/rclone/rclone.conf"
2022/12/26 23:01:06 DEBUG : Creating backend with remote "remarkable:/home/root/.local/share/remarkable/xochitl"
2022/12/26 23:01:06 DEBUG : pacer: low level retry 1/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:06 DEBUG : pacer: Rate limited, increasing sleep to 200ms
2022/12/26 23:01:07 DEBUG : pacer: low level retry 2/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:07 DEBUG : pacer: Rate limited, increasing sleep to 400ms
2022/12/26 23:01:07 DEBUG : pacer: low level retry 3/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:07 DEBUG : pacer: Rate limited, increasing sleep to 800ms
2022/12/26 23:01:07 DEBUG : pacer: low level retry 4/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:07 DEBUG : pacer: Rate limited, increasing sleep to 1.6s
2022/12/26 23:01:08 DEBUG : pacer: low level retry 5/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:08 DEBUG : pacer: Rate limited, increasing sleep to 2s
2022/12/26 23:01:10 DEBUG : pacer: low level retry 6/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:12 DEBUG : pacer: low level retry 7/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:14 DEBUG : pacer: low level retry 8/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:16 DEBUG : pacer: low level retry 9/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:18 DEBUG : pacer: low level retry 10/10 (error couldn't connect SSH: ssh: handshake failed: EOF)
2022/12/26 23:01:18 Failed to create file system for "remarkable:/home/root/.local/share/remarkable/xochitl": NewFs: couldn't connect SSH: ssh: handshake failed: EOF

I'm posting as Suspected Bug because this is the simplest operation and config I can imagine, on the most common distro. If it's user error, it's worth improving the error message.

Thank you for your help!

ncw · December 26, 2022, 10:29pm

That looks like something fundamental went wrong. You normally see an error there like no common ciphers or something like that.

You can try adding -vv ---dump bodies which may give you more debug for sftp (can't remember!)

Can you get logs off the device you are connecting to? That would be helpful.

Silver7845 · December 27, 2022, 11:44am

I totally agree... I just can't imagine what! I tried with various --dump flags, but got the same output. Even --dump openfiles to see if I could guess which one was getting a premature EOF.

Here's the log output from sshd on the server (good idea!), for one connection attempt:

Dec 27 11:00:02 reMarkable systemd[1]: Condition check resulted in SSH Key Generation being skipped.
-- Subject: A start job for unit dropbearkey.service has finished successfully
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- A start job for unit dropbearkey.service has finished successfully.
-- 
-- The job identifier is 3372.
Dec 27 11:00:03 reMarkable systemd[1]: Started SSH Per-Connection Server (10.10.10.210:56204).
-- Subject: A start job for unit dropbear@40-10.10.10.121:22-10.10.10.210:56204.service has finished successfully
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- A start job for unit dropbear@40-10.10.10.121:22-10.10.10.210:56204.service has finished successfully.
-- 
-- The job identifier is 3297.
Dec 27 11:00:03 reMarkable dropbear[4652]: Child connection from ::ffff:10.10.10.210:56204
Dec 27 11:00:03 reMarkable dropbear[4652]: Exit before auth from <::ffff:10.10.10.210:56204>: Failed assertion (../dropbear-2020.81/rsa.c:164): `key != NULL'
Dec 27 11:00:03 reMarkable systemd[1]: dropbear@40-10.10.10.121:22-10.10.10.210:56204.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The unit dropbear@40-10.10.10.121:22-10.10.10.210:56204.service has successfully entered the 'dead' state.

Here is journalctl output from a successful SSH connection attempt (from the same client machine):

Dec 27 11:01:58 reMarkable systemd[1]: dropbear@30-2a02:8109:a280:2288:72f7:54ff:fe76:b4b8:22-2a02:8109:a280:2288:42bf:a71f:2bb3:60ae:35620.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The unit dropbear@30-2a02:8109:a280:2288:72f7:54ff:fe76:b4b8:22-2a02:8109:a280:2288:42bf:a71f:2bb3:60ae:35620.service has successfully entered the 'dead' state.
Dec 27 11:02:03 reMarkable systemd[1]: Condition check resulted in SSH Key Generation being skipped.
-- Subject: A start job for unit dropbearkey.service has finished successfully
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- A start job for unit dropbearkey.service has finished successfully.
-- 
-- The job identifier is 3448.
Dec 27 11:02:03 reMarkable systemd[1]: Started SSH Per-Connection Server ([2a02:8109:a280:2288:42bf:a71f:2bb3:60ae]:35490).
-- Subject: A start job for unit dropbear@41-2a02:8109:a280:2288:72f7:54ff:fe76:b4b8:22-2a02:8109:a280:2288:42bf:a71f:2bb3:60ae:35490.service has finished successfully
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- A start job for unit dropbear@41-2a02:8109:a280:2288:72f7:54ff:fe76:b4b8:22-2a02:8109:a280:2288:42bf:a71f:2bb3:60ae:35490.service has finished successfully.
-- 
-- The job identifier is 3373.
Dec 27 11:02:03 reMarkable dropbear[4710]: Child connection from 2a02:8109:a280:2288:42bf:a71f:2bb3:60ae:35490
Dec 27 11:02:03 reMarkable dropbear[4710]: Pubkey auth succeeded for 'root' with key sha1!! 09:a0:c7:1f:ca:a2:a0:bb:7f:96:a6:49:0e:a6:67:db:2d:4c:ac:6e from 2a02:8109:a280:2288:42bf:a71f:2bb3:60ae:35490

So there is something different between the ssh-client connection and the rclone connection that causes dropbear to run the assertion check at dropbear-2020.81/rsa.c:164 ( dropbear/rsa.c at d852d69b50187dd81d424846e7dc677ec57e2d4f · mkj/dropbear · GitHub ). Without knowing the SSH connection options rclone uses it's tricky to figure out what the difference is.

The function with that assertion is only called from dropbear/signkey.c at 36a03132634a17c667c0fac0a8e1519b3d1b71c6 · mkj/dropbear · GitHub , to put a public RSA signing key into memory. I noticed that the server side has no host RSA key in /etc/dropbear, so I manually generated one per the doco... but no difference to the error.

The server is running with /usr/sbin/dropbear -i -r /etc/dropbear/dropbear_ed25519_host_key -B ... which is strange, because -r should indicate the server's RSA host key.

Hypothesis: openssh expects an ed25519 host key, so that -r problem is a non-issue. But rclone expects an rsa host key, so it breaks.

Maybe?

ncw · December 27, 2022, 11:54am

An ed25519 key isn't an RSA key though - maybe that is the problem?

Are there warnings earlier in the log about this?

I'd say if this is hitting an assert in dropbear then it is either a misconfiguration of dropbear or a bug in dropbear.

Silver7845 · December 27, 2022, 1:27pm

I bet you're right... but you know if I open a bug at Dropbear they will ask what rclone is doing that's different from openssh.

How does rclone open the SSH connection? Are there notable differences?

Silver7845 · December 28, 2022, 8:19am

I confirmed:

in the version of dropbear in use, -r is agnostic to the type of host key used. The default is an array of DSA, RSA, etc. So there's no special header mismatch where eg the key is presented as RSA but is really ed25519. It's presented as Ed25519 and that's what it is.
if I change how dropbear is launched to include an RSA host key, rclone works without complaint.

I've filed a support issue with Remarkable, since it's their implementation of dropbear at the root of this.

Now the question for rclone:

Is it a bug that rclone requires an RSA key and breaks with an unclear error message when one isn't available? IMO yes, the requirement should at least be documented and a clearer error message presented. But I'm not a maintainer.

ncw · December 28, 2022, 7:45pm

Rclone is quite capable of using a ed25519 key, I think it is just querying the RSA key first. I presume dropbear should be returning key not found or something like that to allow rclone to move on to the next one?

system · January 27, 2023, 7:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.