sftp Server Error Message

Kernels & Hardware, configuring network, installing services

sftp Server Error Message

Postby mike1950r » 2019-08-07 15:06

Hello,

we use WS_FTP Professional to connect to our Linux Debian 9 server for file transfer.
We find following error message in the journal:

sftp-server[]: error: Unknown extended request "check-file-name"

How can we configure Debian to accept this type of SSH_FXP_EXTENDED message?

Thanks for advice.

Cheers mike
mike1950r
 
Posts: 7
Joined: 2019-08-07 14:56

Re: sftp Server Error Message

Postby ruwolf » 2019-08-07 17:29

SSH_FXP_EXTENDED is vendor-specific extension: https://tools.ietf.org/id/draft-ietf-se ... fer-02.txt
User avatar
ruwolf
 
Posts: 358
Joined: 2008-02-18 05:04
Location: Slovakia, Banovce nad Bebravou, Matice slovenskej 1260/4-7

Re: sftp Server Error Message

Postby mike1950r » 2019-08-07 18:46

Hi ruwolf,

thanks for your reply.

Ofcourse this is vendor specific.
The question is, how these requests are handled by sftp-server module in debian 9.

I also found some posts about the sftp subsystem configuration in sshd_config

#Subsystem sftp /usr/lib/openssh/sftp-server
#Subsystem sftp internal-sftp

BTW what is the difference of these two entries, if anybody knows?

However, if somebody could help me with the SSH_FXP_EXTENDED,
this would be great.

cheers mike
mike1950r
 
Posts: 7
Joined: 2019-08-07 14:56

Re: sftp Server Error Message

Postby techsavvy » 2019-08-08 15:50

The online manual is always a good resource to consult, using a keyword:
Code: Select all
$ man -k sftp
sftp (1)             - secure file transfer program
sftp-server (8)      - SFTP server subsystem
It's obvious which one is of interest, so "man sftp-server" reveals:
Code: Select all
...
-p whitelisted_requests
Specify a comma-separated list of SFTP protocol requests that are permitted by the server.  All request types that are not on the whitelist will be logged and replied to with a failure message.

Care must be taken when using this feature to ensure that requests made implicitly by SFTP clients are permitted.
...
-Q protocol_feature
Query protocol features supported by sftp-server.  At present the only feature that may be queried is “requests”, which may be used for black or whitelisting (flags -P and -p respectively).
...
So using the -Q option from the command line tells you what requests must be preserved:
Code: Select all
$ /usr/lib/openssh/sftp-server -Q requests
open
close
read
write
lstat
fstat
setstat
fsetstat
opendir
readdir
remove
mkdir
rmdir
realpath
stat
rename
readlink
symlink
posix-rename
statvfs
fstatvfs
hardlink
fsync
Apparently it's a simple matter of including your proprietary request in the comma-separated list within /etc/ssh/sshd_config Caution the line-wrap here, constructed using "/usr/lib/openssh/sftp-server -Q requests | paste -s -d, ":
Code: Select all
Subsystem       sftp    /usr/lib/openssh/sftp-server -p \ open,close,read,write,lstat,fstat,setstat,fsetstat,opendir,readdir,remove,mkdir,rmdir,realpath,stat,rename,readlink,symlink,posix-rename,statvfs,fstatvfs,hardlink,fsync,check-file-name
It remains to be seen whether such a proprietary protocol request will be recognized by the Linux sftp-server in a way that the client expects, however.

Regarding your second question, "internal-sftp" can be answered in "man sshd_config".
Last edited by techsavvy on 2019-08-08 16:46, edited 2 times in total.
techsavvy
 
Posts: 18
Joined: 2019-07-06 20:02

Re: sftp Server Error Message

Postby mike1950r » 2019-08-08 16:38

Hi techsavvy,

thanks lot for your great reply.

i have done exactly like you proposed.

in sshd_config file there is now the line:
Subsystem sftp /usr/lib/openssh/sftp-server -p check-file-name,open,close,read,write,lstat,fstat,setstat,fsetstat,opendir,readdir,remove,mkdir,rmdir,realpath,stat,rename,readlink,symlink,posix-rename,statvfs,fstatvfs,hardlink,fsync

But if i do the "q" request the check-file-name command is not listed yet.
I have also restarted the ssh service.
systemctl restart ssh

/usr/lib/openssh/sftp-server -Q requests
open
close
read
write
lstat
fstat
setstat
fsetstat
opendir
readdir
remove
mkdir
rmdir
realpath
stat
rename
readlink
symlink
posix-rename
statvfs
fstatvfs
hardlink
fsync

What am i doing wrong?

cheers mike
mike1950r
 
Posts: 7
Joined: 2019-08-07 14:56

Re: sftp Server Error Message

Postby techsavvy » 2019-08-08 16:47

"Apparently" you've done everything correctly, so I'm out of ideas ... maybe sftp-server is incapable of recognizing the protocol request.
Last edited by techsavvy on 2019-08-08 16:54, edited 2 times in total.
techsavvy
 
Posts: 18
Joined: 2019-07-06 20:02

Re: sftp Server Error Message

Postby mike1950r » 2019-08-08 16:51

still not in:
/usr/lib/openssh/sftp-server -Q requests
open
close
read
write
lstat
fstat
setstat
fsetstat
opendir
readdir
remove
mkdir
rmdir
realpath
stat
rename
readlink
symlink
posix-rename
statvfs
fstatvfs
hardlink
fsync

strange though.
does it refuse check-file-name?

the hyphen is also in posix-rename.

cheers mike
mike1950r
 
Posts: 7
Joined: 2019-08-07 14:56

Re: sftp Server Error Message

Postby techsavvy » 2019-08-08 17:10

Does the error still happen, even though "check-file-name" doesn't exist in the returned list?
techsavvy
 
Posts: 18
Joined: 2019-07-06 20:02

Re: sftp Server Error Message

Postby mike1950r » 2019-08-08 19:03

i will verify, when i'm back home.

cheers mike
mike1950r
 
Posts: 7
Joined: 2019-08-07 14:56

Re: sftp Server Error Message

Postby mike1950r » 2019-08-08 21:07

yes indeed,

unfortunately the error message still appears.
also check-file-name is still not displayed, when calling -Q protocol_feature.

this is a nightmare.
i'm sure there is an explanation for this.

i thought all the other commands, which are whitelisted by default, perhaps do not have to be in the -p command.
so i also tried only -p check-file-name.

but then i could not connect with my sftp program anymore.

i also ckecked to put check-file-name at the end of the command,
but that did not change anything.

cheers mike
mike1950r
 
Posts: 7
Joined: 2019-08-07 14:56

Re: sftp Server Error Message

Postby mike1950r » 2019-08-08 23:22

hi,

my impression is,

that you can only black/whitelist requests, which are already displayed, when you run the -Q command.
other requests, say new ones are not accepted.

cheers mike
mike1950r
 
Posts: 7
Joined: 2019-08-07 14:56


Return to System configuration

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable