The problem of triggering verification when uploading and downloading files in interactive mode

[tanzhenchao]

We used the sftp file subsystem of openssh to build the sftpd service, and then we integrated the privacyidea-pam module and implemented a one-time OTP token for email, and then we found a problem.
In interactive mode, after we successfully log in through the email one-time OTP token, when we upload or download files, the user login verification issue will be triggered again, so we need to enter the password and OTP token again to continue uploading or downloading files. In addition, simply browsing files or deleting files is not affected.
We used to think this was a problem caused by the privacyidea-pam module, so we asked the privacyidea community for support,
https://github.com/privacyidea/privacyi ... /issues/13
However, when we tested it with the sftp command line client, we found that it worked fine,

Code: Select all

# sftp -P 115 'will@cmdschool.org'@sftp.cmdschool.org
(will@cmdschool.org'@sftp.cmdschool.org) Password: 
(will@cmdschool.org'@sftp.cmdschool.org) Enter the OTP from the Email:
Connected to sftp.cmdschool.org.
sftp> ls
myhome  
sftp> cd myhome/
sftp> ls
dbeaver-ce_22.1.2_amd64.deb   
sftp> lcd /home/will/Downloads/
sftp> put  www.cmdschool.org_nginx.zip
Uploading www.cmdschool.org_nginx.zip to /myhome/www.cmdschool.org_nginx.zip
www.cmdschool.org_nginx.zip                                                                100% 8628   571.8KB/s   00:00    
sftp> exit

so we judged it to be a problem caused by the FileZilla client, so we hope that the official can fix this problem.

The following are the debug logs of the FileZilla client working:

Code: Select all

Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpConnectOpData::Send() in state 0
Status:	Connecting to sftp.cmdschool.org:115...
Trace:	Going to execute /usr/bin/fzsftp
Response:	fzSftp started, protocol_version=11
Trace:	CSftpConnectOpData::ParseResponse() in state 0
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpConnectOpData::Send() in state 3
Command:	open "will@cmdschool.org@sftp.cmdschool.org" 115
Trace:	Looking up host "sftp.cmdschool.org" for SSH connection
Trace:	Connecting to sftp.cmdschool.org port 115
Trace:	We claim version: SSH-2.0-FileZilla_3.63.0
Trace:	Connected to sftp.cmdschool.org
Trace:	Remote version: SSH-2.0-OpenSSH_8.7
Trace:	Using SSH protocol version 2
Trace:	Enabling strict key exchange semantics
Trace:	Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Trace:	Server also has ecdsa-sha2-nistp256/rsa-sha2-512/rsa-sha2-256 host keys, but we don't know any of them
Trace:	Host key fingerprint is:
Trace:	ssh-ed25519 255 SHA256:LlyJqvhAWFx1h6tkA2KE3IQ6+44WuzEwZk7es2b7jjo
Trace:	Initialised AES-256 GCM outbound encryption
Trace:	Initialised AES256 GCM outbound MAC algorithm (in ETM mode) (required by cipher)
Trace:	Initialised AES-256 GCM inbound encryption
Trace:	Initialised AES256 GCM inbound MAC algorithm (in ETM mode) (required by cipher)
Trace:	Pageant is running. Requesting keys.
Trace:	Pageant has 0 SSH-2 keys
Status:	Using username "will@cmdschool.org". 
Trace:	Attempting keyboard-interactive authentication
Trace:	CSftpControlSocket::SetAsyncRequestReply
Command:	Pass: **********
Trace:	CSftpControlSocket::SetAsyncRequestReply
Command:	Pass: ******
Trace:	Access granted
Trace:	Opening main session channel
Trace:	Opened main channel
Trace:	Started a shell/command
Status:	Connected to sftp.cmdschool.org
Trace:	Remote working directory is /
Trace:	CSftpConnectOpData::ParseResponse() in state 3
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpConnectOpData::Reset(0) in state 3
Trace:	CFileZillaEnginePrivate::ResetOperation(0)
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpListOpData::Send() in state 0
Status:	Retrieving directory listing...
Trace:	CSftpChangeDirOpData::Send() in state 0
Trace:	CSftpChangeDirOpData::Send() in state 1
Command:	pwd
Response:	Current directory is: "/"
Trace:	CSftpChangeDirOpData::ParseResponse() in state 1
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpChangeDirOpData::Reset(0) in state 1
Trace:	CSftpListOpData::SubcommandResult(0) in state 1
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpListOpData::Send() in state 2
Trace:	CSftpListOpData::Send() in state 3
Command:	ls
Status:	Listing directory /
Trace:	CSftpListOpData::ParseResponse() in state 3
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpListOpData::Reset(0) in state 3
Status:	Directory listing of "/" successful
Trace:	CFileZillaEnginePrivate::ResetOperation(0)
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpListOpData::Send() in state 0
Status:	Retrieving directory listing of "/myhome"...
Trace:	CSftpChangeDirOpData::Send() in state 0
Trace:	CSftpChangeDirOpData::Send() in state 2
Command:	cd "/myhome"
Response:	New directory is: "/myhome"
Trace:	CSftpChangeDirOpData::ParseResponse() in state 2
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpChangeDirOpData::Reset(0) in state 2
Trace:	CSftpListOpData::SubcommandResult(0) in state 1
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpListOpData::Send() in state 2
Trace:	CSftpListOpData::Send() in state 3
Command:	ls
Status:	Listing directory /myhome
Trace:	CSftpListOpData::ParseResponse() in state 3
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpListOpData::Reset(0) in state 3
Status:	Directory listing of "/myhome" successful
Trace:	CFileZillaEnginePrivate::ResetOperation(0)
Status:	Deleting "/myhome/dbeaver-ce_22.1.2_amd64.deb"
Trace:	CSftpControlSocket::Delete
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpDeleteOpData::Send() in state 0
Command:	rm "/myhome/dbeaver-ce_22.1.2_amd64.deb"
Response:	rm /myhome/dbeaver-ce_22.1.2_amd64.deb: OK
Trace:	CSftpDeleteOpData::ParseResponse() in state 0
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpDeleteOpData::Reset(0) in state 0
Trace:	CFileZillaEnginePrivate::ResetOperation(0)
Status:	Deleting "/myhome/www.cmdschool.org_nginx.zip"
Trace:	CSftpControlSocket::Delete
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpDeleteOpData::Send() in state 0
Command:	rm "/myhome/www.cmdschool.org_nginx.zip"
Response:	rm /myhome/www.cmdschool.org_nginx.zip: OK
Trace:	CSftpDeleteOpData::ParseResponse() in state 0
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpDeleteOpData::Reset(0) in state 0
Trace:	CFileZillaEnginePrivate::ResetOperation(0)
Status:	Deleting "/myhome/teams_1.5.00.10453_amd64.deb"
Trace:	CSftpControlSocket::Delete
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpDeleteOpData::Send() in state 0
Command:	rm "/myhome/teams_1.5.00.10453_amd64.deb"
Response:	rm /myhome/teams_1.5.00.10453_amd64.deb: OK
Trace:	CSftpDeleteOpData::ParseResponse() in state 0
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpDeleteOpData::Reset(0) in state 0
Trace:	CFileZillaEnginePrivate::ResetOperation(0)
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpConnectOpData::Send() in state 0
Status:	Connecting to sftp.cmdschool.org:115...
Trace:	Going to execute /usr/bin/fzsftp
Response:	fzSftp started, protocol_version=11
Trace:	CSftpConnectOpData::ParseResponse() in state 0
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpConnectOpData::Send() in state 3
Command:	open "will@cmdschool.org@sftp.cmdschool.org" 115
Trace:	Looking up host "sftp.cmdschool.org" for SSH connection
Trace:	Connecting to sftp.cmdschool.org port 115
Trace:	We claim version: SSH-2.0-FileZilla_3.63.0
Trace:	Connected to sftp.cmdschool.org
Trace:	Remote version: SSH-2.0-OpenSSH_8.7
Trace:	Using SSH protocol version 2
Trace:	Enabling strict key exchange semantics
Trace:	Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Trace:	Server also has ecdsa-sha2-nistp256/rsa-sha2-512/rsa-sha2-256 host keys, but we don't know any of them
Trace:	Host key fingerprint is:
Trace:	ssh-ed25519 255 SHA256:LlyJqvhAWFx1h6tkA2KE3IQ6+44WuzEwZk7es2b7jjo
Trace:	Initialised AES-256 GCM outbound encryption
Trace:	Initialised AES256 GCM outbound MAC algorithm (in ETM mode) (required by cipher)
Trace:	Initialised AES-256 GCM inbound encryption
Trace:	Initialised AES256 GCM inbound MAC algorithm (in ETM mode) (required by cipher)
Trace:	Pageant is running. Requesting keys.
Trace:	Pageant has 0 SSH-2 keys
Status:	Using username "will@cmdschool.org". 
Trace:	Attempting keyboard-interactive authentication
Trace:	CSftpControlSocket::SetAsyncRequestReply
Command:	Pass: **********
Trace:	CSftpControlSocket::SetAsyncRequestReply
Command:	Pass: ******
Trace:	Access granted
Trace:	Opening main session channel
Trace:	Opened main channel
Trace:	Started a shell/command
Status:	Connected to sftp.cmdschool.org
Trace:	Remote working directory is /
Trace:	CSftpConnectOpData::ParseResponse() in state 3
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpConnectOpData::Reset(0) in state 3
Trace:	CFileZillaEnginePrivate::ResetOperation(0)
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpFileTransferOpData::Send() in state 0
Status:	Starting upload of /home/will/Debian/software/teams_1.5.00.10453_amd64.deb
Trace:	CSftpChangeDirOpData::Send() in state 0
Trace:	CSftpChangeDirOpData::Send() in state 2
Command:	cd "/myhome"
Response:	New directory is: "/myhome"
Trace:	CSftpChangeDirOpData::ParseResponse() in state 2
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpChangeDirOpData::Reset(0) in state 2
Trace:	CSftpFileTransferOpData::SubcommandResult(0) in state 1
Trace:	CControlSocket::CheckOverwriteFile()
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpFileTransferOpData::Send() in state 4
Command:	put "/home/will/Debian/software/teams_1.5.00.10453_amd64.deb" "teams_1.5.00.10453_amd64.deb"
Command:	local:/home/will/Debian/software/teams_1.5.00.10453_amd64.deb => remote:/myhome/teams_1.5.00.10453_amd64.deb
Trace:	CSftpFileTransferOpData::ParseResponse() in state 4
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpFileTransferOpData::Reset(0) in state 4
Status:	File transfer successful, transferred 84,485,626 bytes in 1 second
Trace:	CFileZillaEnginePrivate::ResetOperation(0)
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpListOpData::Send() in state 0
Status:	Retrieving directory listing of "/myhome"...
Trace:	CSftpChangeDirOpData::Send() in state 0
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpChangeDirOpData::Reset(0) in state 0
Trace:	CSftpListOpData::SubcommandResult(0) in state 1
Trace:	CControlSocket::SendNextCommand()
Trace:	CSftpListOpData::Send() in state 2
Trace:	CSftpListOpData::Send() in state 3
Command:	ls
Status:	Listing directory /myhome
Trace:	CSftpListOpData::ParseResponse() in state 3
Trace:	CControlSocket::ResetOperation(0)
Trace:	CSftpListOpData::Reset(0) in state 3
Status:	Directory listing of "/myhome" successful
Trace:	CFileZillaEnginePrivate::ResetOperation(0)

[tanzhenchao]

We found the following case, so someone had discovered this issue as early as June 2015.

viewtopic.php?t=37078

In addition, we found that the new versions of WinSCP and Bitvise SSH Client can perfectly solve this problem, so is the FileZilla client team willing to fix this problem?

[botg]

That's the whole purpose of OTP, to ask the second factor on every connection.

You can limit the number of connections to one in the Site Manager at the cost of no longer being able to navigate the remote directory structure during ongoing transfers.

[tanzhenchao]

I think you mean to set it up as follows,
【File】->【Site Manager】->【My Sites】->【xxx】->【Transfer Settings】->【Limit number of simultaneous connections】-> “Maximum number of connections=1”
But we tested it and the configuration doesn't work, how should we fix it?

[botg]

Check the message log, there must have been disconnects.