Proftpd 1.3.7a: publickey authentication with ed25519 key not working

W

wtptrs

Verified User
Joined
Jul 13, 2015
Messages
325
We're authenticating to sftp using rsa keys. Since proftpd 1.3.7, authentication with ed25519 keys should be implemented but it doesn't seem to be working. I've updated libsodium and proftpd through Custombuild. The server OS is Debian 9. Anything else required? More information:

proftpd version info:

Code: 
  Version: 1.3.7a (maint)
    configure  '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var/run' '--mandir=/usr/share/man' '--without-pam' '--disable-auth-pam' '--enable-nls' '--enable-openssl' '--with-modules=mod_ratio:mod_readme:mod_tls:mod_sftp'
  LIBS:  -lssl -lcrypto -lsodium -lcap  -lssl  -lcrypto -lsupp -lcrypt -ldl  -liconv
    + Sodium support

Adding
Code: 
--with-includes=/usr/local/include/sodium --with-libraries=/usr/local/lib
to the build doesn't make a difference.

Upgrading OpenSSL with unofficial repositories and rebuilding proftpd doesn't make a difference either:

Code: 
root@server:~# openssl version
OpenSSL 1.1.1g  21 Apr 2020
root@server:~# proftpd -V |grep OpenSSL
    + OpenSSL support (OpenSSL 1.1.1g  21 Apr 2020)

sftp -vvv:

Code: 
debug1: Offering ED25519 public key: /home/USER/.ssh/id_ed25519
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug1: Authentication succeeded (publickey).
Authenticated to IP_ADDRESS ([IP_ADDRESS]:PORT).
debug2: fd 4 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug3: send packet: type 1
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cc -1)

debug1: fd 0 clearing O_NONBLOCK
debug3: fd 1 is not O_NONBLOCK
Connection to IP ADDRESS closed by remote host.
Transferred: sent 2744, received 2024 bytes, in 0.0 seconds
Bytes per second: sent 37126355.4, received 27384746.1
debug1: Exit status -1
Couldn't read packet: Connection reset by peer

sftp.log:

Code: 
2020-08-31 13:34:18,765 mod_sftp/1.0.1[27111]: sent server version 'SSH-2.0-mod_sftp'
2020-08-31 13:34:18,765 mod_sftp/1.0.1[27111]: received client version 'SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8'
2020-08-31 13:34:18,765 mod_sftp/1.0.1[27111]: handling connection from SSH2 client 'OpenSSH_7.2p2'
2020-08-31 13:34:18,768 mod_sftp/1.0.1[27111]:  + Session key exchange: [email protected]
2020-08-31 13:34:18,768 mod_sftp/1.0.1[27111]:  + Session server hostkey: rsa-sha2-512
2020-08-31 13:34:18,768 mod_sftp/1.0.1[27111]:  + Session client-to-server encryption: aes128-ctr
2020-08-31 13:34:18,768 mod_sftp/1.0.1[27111]:  + Session server-to-client encryption: aes128-ctr
2020-08-31 13:34:18,768 mod_sftp/1.0.1[27111]:  + Session client-to-server MAC: [email protected]
2020-08-31 13:34:18,768 mod_sftp/1.0.1[27111]:  + Session server-to-client MAC: [email protected]
2020-08-31 13:34:18,768 mod_sftp/1.0.1[27111]:  + Session client-to-server compression: none
2020-08-31 13:34:18,768 mod_sftp/1.0.1[27111]:  + Session server-to-client compression: none
2020-08-31 13:34:18,830 mod_sftp/1.0.1[27111]: sending acceptable userauth methods: publickey
2020-08-31 13:34:18,831 mod_sftp/1.0.1[27111]: public key SHA256 fingerprint: b4:9a:61:bc:37:e7:ea:55:d5:8f:21:d7:14:6e:8b:eb:f3:ae:ba:28:7e:13:f8:12:df:f0:b5:32:ef:d2:5f:6e
2020-08-31 13:34:18,834 mod_sftp/1.0.1[27111]: sending publickey OK
2020-08-31 13:34:18,840 mod_sftp/1.0.1[27111]: public key SHA256 fingerprint: b4:9a:61:bc:37:e7:ea:55:d5:8f:21:d7:14:6e:8b:eb:f3:ae:ba:28:7e:13:f8:12:df:f0:b5:32:ef:d2:5f:6e
2020-08-31 13:34:18,843 mod_sftp/1.0.1[27111]: sending userauth failure; remaining userauth methods: publickey

journalctl:

Code: 
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - USER [email protected] (Login failed): authentication via 'rsa-sha2-512' public key failed
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - -----BEGIN STACK TRACE-----
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [0] /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(CRYPTO_atomic_add+0x2) [0x7fa304dd0802]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [1] /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(CRYPTO_atomic_add+0x2) [0x7fa304dd0802]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [2] /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(EVP_PKEY_free+0x34) [0x7fa304d751e4]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [3] proftpd: (authenticating) - (connecting): IDLE(sftp_keys_verify_pubkey_type+0xc1) [0x56251
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [4] proftpd: (authenticating) - (connecting): IDLE(sftp_auth_publickey+0x110) [0x5625185dde10]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [5] proftpd: (authenticating) - (connecting): IDLE(sftp_auth_handle+0x698) [0x5625185b5ff8]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [6] proftpd: (authenticating) - (connecting): IDLE(sftp_ssh2_packet_handle+0xff) [0x56251859e0
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [7] proftpd: (authenticating) - (connecting): IDLE(+0xd04da) [0x56251859b4da]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [8] proftpd: (authenticating) - (connecting): IDLE(+0x2b5c5) [0x5625184f65c5]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [9] proftpd: (authenticating) - (connecting): IDLE(+0x2beff) [0x5625184f6eff]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [10] proftpd: (authenticating) - (connecting): IDLE(main+0x5a6) [0x5625184f4f56]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [11] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1) [0x7fa3042532e1]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - [12] proftpd: (authenticating) - (connecting): IDLE(_start+0x2a) [0x5625184f548a]
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - -----END STACK TRACE-----
Aug 31 15:27:43 HOSTNAME proftpd[23095]: 0.0.0.0 (CLIENT IP[CLIENT IP]) - ProFTPD terminating (signal 11)
 
Last edited:
Sorry to bump this, but we haven't been able to make any progress unfortunately. Tried updating OpenSSH with Debian Testing packages, tried adding a bunch of ciphers in sshd_conf, but to no avail. We've tested this with a standalone ProFTPd server as well, so it's not DA-related, but perhaps someone here has encountered the same issue.

Someone over at the proftpd forum (https://forums.proftpd.org/smf/index.php/topic,12374.msg34838.html) seems to encounter the exact same issue, so perhaps it's a ProFTPd bug, not sure.

None of you guys are running this setup by any chance, zEitEr perhaps?
 
Last edited:
This turned out to be a bug in proftpd 1.3.7a and will be fixed in the next release. For anyone interested in testing it out right now:

git clone https://github.com/proftpd/proftpd.git
mv proftpd/ proftpd-1.3.8rc1
tar cvzf proftpd-1.3.8rc1.tar.gz proftpd-1.3.8rc1
mv proftpd-1.3.8rc1 /usr/local/directadmin/custombuild
cd /usr/local/directadmin/custombuild
nano versions.txt

#replace existing proftpd entry with the following:

proftpd:1.3.8rc1:

./build proftpd
Click to expand...
 
You must log in or register to reply here.
Back
Top