Subject: Re: Reflection for Secure IT Server

Re: Reflection for Secure IT Server

From: Peter Stuge <peter_at_stuge.se>
Date: Mon, 3 May 2010 15:38:46 +0200

Hello Qiang,

Xu, Qiang (FXSGSC) wrote:
> > Recently, I am hit with a problem of transfer to Reflection
> > for Secure IT Server, which provides SFTP service
..
> > Yet, I can't connect to it with sftp command:
>
> Just found out that the problem is caused by a server setting
> "Password authentication using keyboard interactive". After it
> is disabled, sftp command can connect without any problem.

The keyboard-interactive authentication method is used also on other
systems. It is supported by libssh2 but it must also be supported
explicitly by the application.

The full description of keyboard-interactive is in RFC 4256. I very
much recommend reading that, it is short at only 12 pages.

kbd-int is a generic method for dialog between the SSH/SFTP server
and the user. There is no standard for what this dialog contains -
it is a completely generic way for the server to send a question to
the user, and to receive a response back from the user.

Sometimes this method is unfortunately used to ask for a password.
That is the standard setting for both FreeBSD and Mac OS X. :(

This creates a problem for libssh2 because it can not reliably detect
that the server is asking for the user's password. The question from
the server can be localized to the user's prefered language, and it
can use any words, such as "Enter secret" that the user will
understand, but which is impossible to completely understand in
libssh2.

This means that the libssh2 application must allow the user to
participate in the kbd-int communication, in order to successfully
authenticate to the server. Depending on the application it can be
difficult. :\

The libssh2 example sftp.c demonstrates how libssh2 calls back into
the application in order to perform keyboard-interactive
authentication, but please note that the example kbd_callback()
implementation is very bad and must not be used in an end product!

In order to further investigate kbd-int please apply the attached
patch to sftp.c (or use very latest git) and then test the sftp.c
example with the same server to see more details.

//Peter

Received on 2010-05-03