Author Topic: sftp client rekeying after uploading of 1G file and the sftp connection dropped  (Read 280 times)

Offline chayunwang

  • New user
  • *
  • Posts: 7
    • View Profile
I have a data provider which will send sftp rekey to exchange hosts keys/cipher/mac after sending 1G of data and the sftp connection is aborted by proftpd I think since the default of SFTPRekey is none in my confiugration file.   Is it possible to configure proftpd for this client to use SFTPRekey only just like SFTPClientMatch "^OpenSSH_3\\.*" channelWindowSize 8MB ?   


Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5254
    • View Profile
    • http://www.castaglia.org/
First, it would be best to determine whether mod_sftp was indeed aborting the connection; for that, you'd want to see what the SFTPLog shows, for that client.  Otherwise, we could be trying to address the wrong problem.  Setting "SFTPRekey none" in the mod_sftp config only tells mod_sftp to not request rekeying; it does not tell mod_sftp to refuse any rekey requests that the client may send.

As for your request about special-casing rekeying for certain clients, see:

  http://bugs.proftpd.org/show_bug.cgi?id=4266

And you may also be interested in:

  http://bugs.proftpd.org/show_bug.cgi?id=4126

Offline chayunwang

  • New user
  • *
  • Posts: 7
    • View Profile
I think I am sure proftpd dropped the connection after SSH_MSG_NEWKEYS received by both ends.  I turned on the debugging on both ends. I am able to control on sftp client when and what size of file to re exchange MAC/ciphers..   It looks like a bug in proftpd 1.3.5.  I will download 1.3.6rc2 to test.

Offline chayunwang

  • New user
  • *
  • Posts: 7
    • View Profile
I build proftpd 1.3.6rc2 using the proftpd.conf from my version of proftpd 1.3.5. proftpd won't listen on port 22 for sftp until I delete the portion of ftp from proftpd.conf.   Good news is proftpd1.3.6 fix the connections dropped issues after sftp rekey. Bad news is it doesn't work to listen ftp/sftp connections. I am still in a puzzle why this happens.    I check syntax ok except complained from mod_ctrls about local socket in used.

Offline chayunwang

  • New user
  • *
  • Posts: 7
    • View Profile
I finally make my proftpd.conf work for ftp/sftp.  I only add DefaultAddress following proftpd faq and change VirtualHost from dns name to IP address:

root@icisftpdev:/icinet/appl/proftpd/etc:> diff proftpd.conf /tmp/proftpd.conf
18a19
  ====> /tmp/proftpd.conf is the original one from 1.3.5 but is not  working under 1.3.6rc2 until I add DefaultAddress and change name to ip address

> # set to 0 with "socketbindtight" above to keep it from binding to all IPs
24a26
>
33c35,38
< AllowOverwrite                on
---
> # Normally, we want files to be overwriteable.
> #<Directory />
>       AllowOverwrite          on
> #</Directory>
35,37c40,43
<
<   DefaultAddress 192.168.2.16
<   Port 21
---
> # Use a VirtualHost to handle complexes logins, the rest will fall through
> # to system authentication.  FTP must be turned off in inetd for this to work.
>       # jail the user in their home dir
>       Port            21
67a74
>       
69c76
<   <IfModule mod_sftp.c>
---
> <IfModule mod_sftp.c>
71a79
>  <VirtualHost icisftpdev.ici.org>
73,76c81,82
<     <VirtualHost 192.168.2.16>
<       # The SFTP configuration
<       Port 22
<       SFTPEngine on
---
>         SFTPEngine on
>         Port 22
85a92,95
>
> #       <IfModule mod_sftp_ldap.c>
> #          SFTPAuthorizedUserKeys ldap:
> #       </IfModule>
133a144,145
>  </VirtualHost>
> </IfModule>
135,136d146
<     </VirtualHost>
<   </IfModule>

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5254
    • View Profile
    • http://www.castaglia.org/
Would you be able to provide the non-working proftpd.conf, before your DefaultAddress/IP address changes?  I think there may be a bug, in ProFTPD 1.3.6rc2, that those config changes are working around.  I'd like to see your non-working config, so that I can attempt to reproduce the issue locally.  Thanks!

Actually, I think the root cause may have been this:

  http://bugs.proftpd.org/show_bug.cgi?id=4186

Fixed in the newly released proftpd-1.3.6rc3.
« Last Edit: January 15, 2017, 01:17:56 am by castaglia »

 

sighted planning