Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
0 votes
2.4k views
in .NET FTP by (140 points)
Hello,

We are using .NET FTP Pro to connect to an SFTP server.  The server's administrator just changed the password requirements and now when we need to update the password, we are unable to automatically.  When logging in with an "invalid" login, we immediately lock it at the SFTP server.  We are seeing multiple SSH_MSG_USERAUTH_FAILURE in the log with a new prompt:

DEBUG :  Packet arrived
DEBUG :  ProcessAuthenticationResponse: SSH_MSG_USERAUTH_INFO_REQUEST
DEBUG :  Prompt count = 3
DEBUG :  Prompt: Old Password:
DEBUG :  Prompt: New Password:
DEBUG :  Prompt: Confirm Password:
DEBUG :  Sent SSH_MSG_USERAUTH_INFO_RESPONSE

Was wondering if anyone has seen anything like this and how to work with it.

Full log below:

DEBUG :  Setting up fallback kbi prompt based on supplied password
DEBUG :  Resolving xxx.xxx.xx.xxx
DEBUG :  xxx.xxx.xx.xxx resolved to xxx.xxx.xx.xxx
DEBUG :  Connecting directly to SFTP server xxx.xxx.xx.xxx:2200
INFO :  Connecting to xxx.xxx.xx.xxx:2200 with timeout 30000 ms
DEBUG :  Successfully connected to xxx.xxx.xx.xxx:2200
DEBUG :  Connected successfully to SFTP server xxx.xxx.xx.xxx:2200
DEBUG :  Beginning protocol negotiation
DEBUG : FTPConnection.25 RepeatCallback received 25 bytes
DEBUG : FTPConnection.25 offset=0,length=25
INFO : FTPConnection.25 Server version = 'SSH-2.0-1.82_sshlib MFT'
DEBUG : FTPConnection.25 Major string = '2'
DEBUG : FTPConnection.25 Minor string = '0'
DEBUG : FTPConnection.25 Version 2.0
DEBUG : FTPConnection.25 Protocol compatible
DEBUG :  Server version=SSH-2.0-1.82_sshlib MFT
DEBUG :  Timeout=30000
DEBUG :  Sending client version=SSH-2.0-edtFTPnet/PRO_9.0.0.20
DEBUG :  Starting key exchange
DEBUG :  Sending SSH_MSG_KEXINIT
DEBUG :  key exchange method=diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
DEBUG :  hostkey algorithms=ssh-dss,ssh-rsa
DEBUG :  ciphers=blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr
DEBUG :  ciphers=blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr
DEBUG :  MACs=hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512
DEBUG :  MACs=hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512
DEBUG :  compression algorithms=none,zlib
DEBUG :  compression algorithms=none,zlib
DEBUG :  Sent SSH_MSG_KEXINIT
DEBUG :  Reading SSH_MSG_KEXINIT reply
DEBUG :  Waiting for packet
DEBUG : FTPConnection.25 RepeatCallback received 368 bytes
DEBUG :  Packet arrived
DEBUG :  Processing SSH_MSG_KEXINIT reply
DEBUG :  Remote kex alg=diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
DEBUG :  Decided kex alg= DiffieHellmanGroup14Sha1
DEBUG :  Remote hostkey alg=ssh-rsa
DEBUG :  Decided hostkey alg= RSA
DEBUG :  Remote Cipher CS=aes256-cbc,aes256-ctr,3des-cbc,aes128-cbc,aes128-ctr
DEBUG :  Decided Cipher C->S= AES128
DEBUG :  Remote Cipher SC=aes256-cbc,aes256-ctr,3des-cbc,aes128-cbc,aes128-ctr
DEBUG :  Decided Cipher S->C= AES128
DEBUG :  Remote MAC CS=hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-96
DEBUG :  Decided MAC C->S= HMAC_SHA1
DEBUG :  Remote MAC SC=hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-96
DEBUG :  Decided MAC S->C= HMAC_SHA1
DEBUG :  Remote Comp CS=zlib,none
DEBUG :  Decided Comp C->S=None
DEBUG :  Remote Comp SC=zlib,none
DEBUG :  Decided Comp S->C=None
DEBUG :  first_kex_packet_follows=False
DEBUG :  Processed SSH_MSG_KEXINIT reply
DEBUG :  Sending SSH_MSG_KEXDH_INIT
DEBUG :  DH_PRIME_GROUP14
DEBUG :  DH_PRIME_GROUP14
DEBUG :  Sent SSH_MSG_KEXDH_INIT
DEBUG :  Reading SSH_MSG_KEXDH_INIT reply
DEBUG :  Waiting for packet
DEBUG : FTPConnection.25 RepeatCallback received 848 bytes
DEBUG :  Packet arrived
DEBUG :  Processing SSH_MSG_KEXDH_INIT reply
DEBUG :  DH_PRIME_GROUP14
INFO :  Verifying host key
DEBUG :  Processed SSH_MSG_KEXDH_INIT reply successfully
DEBUG :  Sending SSH_MSG_NEWKEYS
DEBUG :  Sent SSH_MSG_NEWKEYS
DEBUG :  Established ciphers
DEBUG :  Established MACs
DEBUG :  Reading SSH_MSG_NEWKEYS reply
DEBUG :  Processing SSH_MSG_NEWKEYS reply
DEBUG :  Processed 0 queued messages
DEBUG :  Processed SSH_MSG_NEWKEYS reply
INFO :  Negotiated new keys successfully
DEBUG :  Key exchange complete
DEBUG :  Sent SSH_MSG_SERVICE_REQUEST 'ssh-userauth'
DEBUG :  Waiting for packet
DEBUG : FTPConnection.25 RepeatCallback received 1112 bytes
DEBUG :  Packet arrived
DEBUG :  Starting user authentication for 'tn000000'
DEBUG :  Password authentication
DEBUG :  Sent SSH_MSG_USERAUTH_REQUEST
DEBUG :  ProcessAuthenticationResponse: SSH_MSG_USERAUTH_BANNER
DEBUG :  USERAUTH_BANNER
DEBUG :  - User Banner here blah blah blah

DEBUG :  Waiting for packet
DEBUG : FTPConnection.25 RepeatCallback received 68 bytes
DEBUG :  Packet arrived
DEBUG :  ProcessAuthenticationResponse: SSH_MSG_USERAUTH_FAILURE
ERROR :  Auth failure. Try: keyboard-interactive
DEBUG :  Trying keyboard-interactive authentication
DEBUG :  Starting user authentication for 'tn000000'
DEBUG :  Keyboard interactive authentication
DEBUG :  Sent SSH_MSG_USERAUTH_REQUEST
DEBUG :  Waiting for packet
DEBUG : FTPConnection.25 RepeatCallback received 212 bytes
DEBUG :  Packet arrived
DEBUG :  ProcessAuthenticationResponse: SSH_MSG_USERAUTH_INFO_REQUEST
DEBUG :  Prompt count = 3
DEBUG :  Prompt: Old Password:
DEBUG :  Prompt: New Password:
DEBUG :  Prompt: Confirm Password:
DEBUG :  Sent SSH_MSG_USERAUTH_INFO_RESPONSE
DEBUG :  Waiting for packet
DEBUG : FTPConnection.25 RepeatCallback received 36 bytes
DEBUG :  Packet arrived
DEBUG :  ProcessAuthenticationResponse: SSH_MSG_USERAUTH_FAILURE
ERROR :  Auth failure. Try:
ERROR :  Failed to connect - closing connection
ERROR :  EnterpriseDT.Net.Ftp.Ssh.SFTPAuthenticationException: Authentication failed
ERROR :     at EnterpriseDT.Net.Ftp.Ssh.SSHFTPClient.Connect()

1 Answer

0 votes
by (51.7k points)
To handle this you'll need to set the authentication type to KeyboardInteractive and set the KBIPrompts property so that it it's able to respond to the prompts being sent by the server (i.e. "Old Password:", "New Password:" and "Confirm Password:".
by (140 points)
I am looking through the API documentation and this whole scenario is buried in the .Connect() method.

How can I capture the first  SSH_MSG_USERAUTH_FAILURE, switch to Keyboard interactive, respond to the prompts and move on?  Do I have to "front-load" the prompts and if the authentication works (i.e. the current password is good), the component just ignores the prompts that I've setup?

The target SFTP server kicks me out after changing the password and makes me open a fresh connection with the new password.

Thank you for your time.
by (51.7k points)
Unfortunately our software doesn't currently allow you to respond to prompts upon request, so the only way to do it would be to try connecting with the current password; detect the 'password-change' failure; prompt the user for a new password (assuming your app is interactive); set up the KBIPrompts and then reconnect.  It sounds like even after providing the prompts you're gonna get kicked off a again, so you'd then have to connect again with the new password.

Categories

...