filezilla 3.46.1+ fail connect to proftpd with Unsupported protocol sequence

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
aqueos
500 Command not understood
Posts: 2
Joined: 2019-12-27 09:37
First name: ghislain
Last name: adnet

filezilla 3.46.1+ fail connect to proftpd with Unsupported protocol sequence

#1 Post by aqueos » 2019-12-27 09:43

hi,

All my users that use the filezilla client 3.46.1+ fail to connect to my proftpd server. I tested the problem exist on debian jessie and debian etch proftpd and filezilla 3.46.2 and 3.46.3 .

Anyone having the same issue ? Is it a client issue or a server one ? It was working fine before the filezilla upgrade.


2019-12-27 10:24:51,637 mod_sftp/0.9.9[13951]: enabled all builtin crypto devices
2019-12-27 10:24:51,638 mod_sftp/0.9.9[13951]: sent server version 'SSH-2.0-mod_sftp/0.9.9'
2019-12-27 10:24:51,638 mod_sftp/0.9.9[13951]: received client version 'SSH-2.0-PuTTYFileZilla_3.46.3'
2019-12-27 10:24:51,638 mod_sftp/0.9.9[13951]: handling connection from SSH2 client 'PuTTYFileZilla_3.46.3'
2019-12-27 10:24:51,890 mod_sftp/0.9.9[13951]: + Session key exchange: ecdh-sha2-nistp256
2019-12-27 10:24:51,890 mod_sftp/0.9.9[13951]: + Session server hostkey: ssh-rsa
2019-12-27 10:24:51,890 mod_sftp/0.9.9[13951]: + Session client-to-server encryption: aes256-ctr
2019-12-27 10:24:51,890 mod_sftp/0.9.9[13951]: + Session server-to-client encryption: aes256-ctr
2019-12-27 10:24:51,890 mod_sftp/0.9.9[13951]: + Session client-to-server MAC: hmac-sha2-256
2019-12-27 10:24:51,890 mod_sftp/0.9.9[13951]: + Session server-to-client MAC: hmac-sha2-256
2019-12-27 10:24:51,890 mod_sftp/0.9.9[13951]: + Session client-to-server compression: none
2019-12-27 10:24:51,890 mod_sftp/0.9.9[13951]: + Session server-to-client compression: none
2019-12-27 10:24:52,923 mod_sftp/0.9.9[13951]: sending acceptable userauth methods: publickey,keyboard-interactive,password
2019-12-27 10:24:52,967 mod_sftp/0.9.9[13951]: expecting USER_AUTH_INFO_RESP message, received SSH_MSG_IGNORE (2)
2019-12-27 10:24:52,967 mod_sftp_pam/0.3[13951]: PAM authentication error (7) for user 'rbnrdgms': Authentication failure
2019-12-27 10:24:52,968 mod_sftp/0.9.9[13951]: sending userauth failure; remaining userauth methods: publickey,keyboard-interactive,password
2019-12-27 10:24:52,968 mod_sftp/0.9.9[13951]: unhandled SSH_MSG_USER_AUTH_INFO_RESP (61) message, disconnecting
2019-12-27 10:24:52,968 mod_sftp/0.9.9[13951]: disconnecting (Unsupported protocol sequence)
2019-12-27 10:24:58,051 mod_sftp/0.9.9[13971]: enabled all builtin crypto devices
2019-12-27 10:24:58,051 mod_sftp/0.9.9[13971]: sent server version 'SSH-2.0-mod_sftp/0.9.9'
2019-12-27 10:24:58,051 mod_sftp/0.9.9[13971]: received client version 'SSH-2.0-PuTTYFileZilla_3.46.3'
2019-12-27 10:24:58,051 mod_sftp/0.9.9[13971]: handling connection from SSH2 client 'PuTTYFileZilla_3.46.3'
2019-12-27 10:24:58,078 mod_sftp/0.9.9[13971]: + Session key exchange: ecdh-sha2-nistp256
2019-12-27 10:24:58,078 mod_sftp/0.9.9[13971]: + Session server hostkey: ssh-rsa
2019-12-27 10:24:58,078 mod_sftp/0.9.9[13971]: + Session client-to-server encryption: aes256-ctr
2019-12-27 10:24:58,078 mod_sftp/0.9.9[13971]: + Session server-to-client encryption: aes256-ctr
2019-12-27 10:24:58,078 mod_sftp/0.9.9[13971]: + Session client-to-server MAC: hmac-sha2-256
2019-12-27 10:24:58,078 mod_sftp/0.9.9[13971]: + Session server-to-client MAC: hmac-sha2-256
2019-12-27 10:24:58,078 mod_sftp/0.9.9[13971]: + Session client-to-server compression: none
2019-12-27 10:24:58,078 mod_sftp/0.9.9[13971]: + Session server-to-client compression: none
2019-12-27 10:24:58,125 mod_sftp/0.9.9[13971]: sending acceptable userauth methods: publickey,keyboard-interactive,password
2019-12-27 10:24:58,170 mod_sftp/0.9.9[13971]: expecting USER_AUTH_INFO_RESP message, received SSH_MSG_IGNORE (2)
2019-12-27 10:24:58,171 mod_sftp_pam/0.3[13971]: PAM authentication error (7) for user 'rbnrdgms': Authentication failure
2019-12-27 10:24:58,172 mod_sftp/0.9.9[13971]: sending userauth failure; remaining userauth methods: publickey,keyboard-interactive,password
2019-12-27 10:24:58,172 mod_sftp/0.9.9[13971]: unhandled SSH_MSG_USER_AUTH_INFO_RESP (61) message, disconnecting
2019-12-27 10:24:58,172 mod_sftp/0.9.9[13971]: disconnecting (Unsupported protocol sequence)
2019-12-27 10:29:22,979 mod_sftp/0.9.9[13455]: disconnecting client (received EOF)

TheSlacker
500 Command not understood
Posts: 1
Joined: 2019-12-27 17:49

Re: filezilla 3.46.1+ fail connect to proftpd with Unsupported protocol sequence

#2 Post by TheSlacker » 2019-12-27 17:53

I am having the same issue while running client version 3.4.63. I also have version 3.45.1 installed, and it works fine. Looking at the logs, the only thing different is that the working version shows this: fzSftp started, protocol_version=8

while the non-working version shows this: fzSftp started, protocol_version=9

User avatar
botg
Site Admin
Posts: 32555
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: filezilla 3.46.1+ fail connect to proftpd with Unsupported protocol sequence

#3 Post by botg » 2019-12-28 14:26

This is a bug in your SFTP server implementation.

Please refer to the specifications in RFC 4253:
All implementations MUST understand (and ignore) this message at any time (after receiving the identification string).
Your server implementation obviously does not ignore these messages, but acts on it.

aqueos
500 Command not understood
Posts: 2
Joined: 2019-12-27 09:37
First name: ghislain
Last name: adnet

Re: filezilla 3.46.1+ fail connect to proftpd with Unsupported protocol sequence

#4 Post by aqueos » 2019-12-28 23:58

botg wrote:
2019-12-28 14:26
This is a bug in your SFTP server implementation.

Please refer to the specifications in RFC 4253:
All implementations MUST understand (and ignore) this message at any time (after receiving the identification string).
Your server implementation obviously does not ignore these messages, but acts on it.
well perhaps but this ruins all connections to the proftpd that is quite popular sftp server on debian that is quite a popular distribution too. Perhaps an option to prevent the filezilla client to send null commands that cause this issue could help resolve the situation without causing issues (or just dont send it like you allways done since then).

I guess that if you send this it is to send random data in the channel to prevent side channel attacks ? I know proftp use this king of message to randomise some data and specifically augment this king of traffic for certains CBC ciphers but seems he do not like it between the login and password phase.

What would you think would be easier to solve this other than shuting everyone using proftpd out ? i open a bug on proftpd for this at the same time :)


regards,
Ghislain.

User avatar
botg
Site Admin
Posts: 32555
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: filezilla 3.46.1+ fail connect to proftpd with Unsupported protocol sequence

#5 Post by botg » 2019-12-30 09:18

No, the change to send SSH_MSG_IGNORE was added for lenght-hiding, a security mechanism. It is never a good idea to disable security mechanisms to placate broken third-party implementations.


Fixing ProFTPD should be quite simple, all one would needs to do is to move the bit of code handling the ignoring of SSH_MSG_IGNORE a bit earlier in the control flow.

User avatar
botg
Site Admin
Posts: 32555
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: filezilla 3.46.1+ fail connect to proftpd with Unsupported protocol sequence

#6 Post by botg » 2019-12-30 09:38

There you go, a matter of 5 minutes work.

Code: Select all

commit 438a8a4e69e080c8ffd7e1f89b62d52ddd1c5e23 (HEAD -> master)
Author: Tim Kosse <tim.kosse@filezilla-project.org>
Date:   Mon Dec 30 10:37:00 2019 +0100

    Ignore SSH_MSG_IGNORE messages, as per specification.

diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
index 6900f4dfc..938f260f9 100644
--- a/contrib/mod_sftp/kbdint.c
+++ b/contrib/mod_sftp/kbdint.c
@@ -273,12 +273,19 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
     return -1;
   }
 
-  pkt = sftp_ssh2_packet_create(kbdint_pool);
 
-  res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
-  if (res < 0) {
+  while (1) {
+    pkt = sftp_ssh2_packet_create(kbdint_pool);
+    res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
+    if (res < 0) {
+      destroy_pool(pkt->pool);
+      return res;
+    }
+    mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
+    if (mesg_type != SFTP_SSH2_MSG_IGNORE) {
+      break;
+    }
     destroy_pool(pkt->pool);
-    return res;
   }
 
   pr_response_clear(&resp_list);

Post Reply