[Feature] In public-key SFTP, map .ppk files to hosts.

Moderator: Project members

Post Reply
Message
Author
ajuaristi
504 Command not implemented
Posts: 8
Joined: 2015-05-29 13:02

[Feature] In public-key SFTP, map .ppk files to hosts.

#1 Post by ajuaristi » 2015-05-30 11:37

If you want to use PKI, you have to tell FileZilla about all your ppk keys in "Edit > Settings > SFTP".
It kind of looks like when connecting to an SFTP server using public key authentication, FileZille cycles through all of your keys trying all of them until it finds the correct one. I've got like a dozen OpenSSH powered servers under my control, all of them with public key authentication, and this feature has caused some of them to raise a "Too many authentication failures" error.

The only solution I've been able to come across was to raise the MaxAuthTries value to something higher than 12, which doesn't seem reasonable.
If you're connecting via SSH with OpenSSH, you can do:

Code: Select all

Host example.com
IdentityFile /example/com/id_rsa

Host foo.com
IdentityFile /foo/com/id_rsa
I haven't found such a feature in FileZilla. Is it there and I missed it up?

User avatar
botg
Site Admin
Posts: 32996
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#2 Post by botg » 2015-05-30 12:15

Why not use the same key for all servers?

ajuaristi
504 Command not implemented
Posts: 8
Joined: 2015-05-29 13:02

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#3 Post by ajuaristi » 2015-05-30 16:51

botg wrote:Why not use the same key for all servers?
That would certainly solve the problem, but I'm afraid it's not always possible.
Your server might be an instance provided by a cloud service, such as Amazon Web Services. In that particular provider, when you launch a new instance, the platform creates an SSH key pair for you. Well, theoretically, you can change the key when you log in for the first time, but anyway.

Even when you can actually use the same key pair for all your servers, you shouldn't be forced to do it just because of the fact that your FTP Client (FileZilla) does not support host-key mappings. You should be free to choose which key to use for each server, and not fall into "Too many authentication failures" errors.

To address this, I propose the following changes:
  • In the Site Manager, when you select a site from the list, and if its protocol is SFTP, a new drop-down list would appear just below it (replacing the "encryption" drop-down) listing all the added ppk keys, and the selected key would be applied to that host. You could optionally leave the list empty to maintain the current behavior of "trying all the available ppk keys".
What do you think? I could send a patch for you if you're interested.

User avatar
botg
Site Admin
Posts: 32996
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#4 Post by botg » 2015-05-30 17:35

To address this, I propose the following changes:

In the Site Manager, when you select a site from the list, and if its protocol is SFTP, a new drop-down list would appear just below it (replacing the "encryption" drop-down) listing all the added ppk keys, and the selected key would be applied to that host. You could optionally leave the list empty to maintain the current behavior of "trying all the available ppk keys".
Site manager would be the right place. I'd put it as another option in the Logon Type dropdown though. If selected, the Password field would be replaced by a key file field.
What do you think? I could send a patch for you if you're interested.
Great, much appreciated.

ajuaristi
504 Command not implemented
Posts: 8
Joined: 2015-05-29 13:02

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#5 Post by ajuaristi » 2015-06-02 15:46

I'll keep you posted.

Thanks.

ajuaristi
504 Command not implemented
Posts: 8
Joined: 2015-05-29 13:02

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#6 Post by ajuaristi » 2015-07-30 15:25

Finally, here it is.

This is the end result:

Image

I'll now summarize the changes I've made.

Changes in code
  • I extended CServer with SetKeyFile() and GetKeyFile(), and a new LogonType: KEY.
  • Until now, only COptionPageConnectionSFTP had the ability to create a 'fzputtygen' process in the background and communicate with it. Now, the site manager dialog (implemented in class CSiteManagerDialogDataObject) also needs that functionality, since it must be able to convert a given key to a suitable format (PPK). Thus, I decoupled all the logic of creating a fzputtygen process and communicating with it and exported to its own class called CFZPuttyGenInterface.h and instantiated that class in COptionsPageConnectionSFTP and CSiteManagerDialogDataObject.
  • In order to cycle over the available key files, the control socket logic in CSftpControlSocket wraps them in a wxStringTokenizer separated by newline characters ("\n"). When a server has its own key file, I manually create a wxStringTokenizer with the content of that key file and a newline in the end. You can see that at line 86 in the patch:

    Code: Select all

    pTokenizer = new wxStringTokenizer(m_pCurrentServer->GetKeyFile() + _T("\n"), _T("\n"), wxTOKEN_DEFAULT);
User experience enhancements
  • When connecting to a server, if the logon type is KEY (3), then FileZilla sends only the selected key file. Otherwise, it maintains the origina behaviour, and sends all the key files specified in the Settings/SFTP dialog.
  • When selecting a key file that's not in the PPK format, FileZilla prompts the user whether to convert the key to PPK or not. Actually, the code that performs this check is exactly the same that does it in the Settings/SFTP dialog (now moved to CFZPuttyGenInterface).
  • Also, that same check is performed when clicking "OK" or "Connect", since the path of the key file might have been introduced manually, without using the "Browse" button.
Here's the patch. It applies cleanly over revision 6852.

User avatar
botg
Site Admin
Posts: 32996
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#7 Post by botg » 2015-07-30 16:39

Thank you, excellent patch.

I've made a few small modifications:
- Fixed order of LogonType enum, otherwise existing sites would get corrupted
- Moved/renamed the two new files
- Fixed XRC layout
- Disable keyfile browse button along with text control

User avatar
botg
Site Admin
Posts: 32996
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#8 Post by botg » 2015-08-03 22:24

I had to revert some changes, namely those that change translatable strings. The chances resulted in strings translators couldn't understand as they weren't complete sentences.

ajuaristi
504 Command not implemented
Posts: 8
Joined: 2015-05-29 13:02

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#9 Post by ajuaristi » 2015-08-04 12:41

Thanks. I highly appreciate your implication.

Should you need any further work from me before bringing this upstream, please do not hesitate to contact me. I'm monitoring this thread.

ajuaristi
504 Command not implemented
Posts: 8
Joined: 2015-05-29 13:02

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#10 Post by ajuaristi » 2015-08-07 11:03

Hi,

Regarding my patch, I can provide translations to Spanish and Euskera (Basque), if you want, since I'm a native speaker of both.

The language files, if I'm not wrong, are "es.po" and "eu.po", respectively.

Just let me know :)

User avatar
botg
Site Admin
Posts: 32996
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: [Feature] In public-key SFTP, map .ppk files to hosts.

#11 Post by botg » 2015-08-07 18:08

Please get in contact with the respective translators. They email addresses should be in the translation files.

Post Reply