-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SFTP upload blocked by "ssh: disconnect, reason 2: too many authentication failures" #1354
Comments
Can you share your full upload command ? |
|
Testing on master
What happens if you do a manual log-in, with On my first try I has to accept the host cert.. maybe that is it? |
I brought up the latest minio using this services:
minio:
image: quay.io/minio/minio:latest
command: server /data --console-address ":9001" --sftp="address=:8022" --sftp="ssh-private-key=/home/miniouser/.ssh
/id_rsa"
environment:
- MINIO_ROOT_USER=minioadmin
- MINIO_ROOT_PASSWORD=minioadmin
- TZ=Europe/Stockholm
volumes:
- ./minio_key:/home/miniouser/.ssh/id_rsa:ro
ports:
- 9000:9000
- 9001:9001
- 8022:8022 First I created a bucket "test" and uploaded a file there: mc alias set sftptest http://127.0.0.1:9000 minioadmin minioadmin
mc mb sftptest/test
touch sftptest.txt
mc cp sftptest.txt sftptest/test No problems so far. Then I attempted to connect using sftp -P 8022 -o StrictHostKeyChecking=accept-new miniouser@127.0.0.1:test Result:
The log from minio:
Apart from the "ssh: disconnect, reason 2: too many authentication failures" there is also an initial error "ERRO: Calculating checksum failed: open minio: no such file or directory" which I am not sure if I need to act on. |
yes, you need to set an absolute path to the minio binary inside the pod. (regarding the checksum error). Let's fix that first and then try again |
Also, I'm not an expert in docker services but won't :ro set the key to be read-only from the containers perspective ? does the user which runs minio also have the proper permissions on the key ? |
I think the container does not need any rights to modify the private key file, since key files often have too open permissions, I just from habit put it to be readonly, this is a rootful container anyways, I think? How can I set an absolute path to the minio binary inside the container? I haven't seen this error message with earlier versions and this is a stock image being used. Some new moves needed for that now? I can absolutely try to relax the permissions on the key file and fix the absolute path to the minio binary inside the container, if you can provide some clues for how to do the latter. And try again. |
yea, I'm trying to set this up myself and whenever I mount my id_rsa key using the same method it thinks it's a directory
I'm out of my depth when it comes to debugging stuff like this, I'm going to poke someone with more ducker/kubernetes experience for you. |
Using volumes:
- ./minio_key:/home/miniouser/.ssh/id_rsa:ro as long as the keyfile is located in the same directory as the But I thought absolute paths would be fine too. Perhaps there is some difference between linux and macos when using "docker compose" or "podman compose" with regards to mounting files like that (ie not using "docker volume mounts" but bind mounts directly). In any case, I checked that this command actually returns the content of the private keyfile, so that shouldn't be an issue:
|
@mskyttner miniouser is the wrong username, it's minioadmin ? |
Gah! Yes, so I tried to clean up with |
I can't seem to reproduce your problem |
It works for me too if using an earlier version of the image:
Are you using the image with the checksum/id 683daefd75a4? |
b3e6f75ad212 quay.io/minio/minio:latest "/usr/bin/docker-ent…" 8 minutes ago Exited (0) 9 seconds ago |
Pulled the image just a few minute ago |
Ok, strange... not sure then what is going on here. |
try deleting the image and pulling it again |
I seem to be on the latest:
|
you do indeed, then I have no clue.. but it's not an issue with our image at least, I've tripple checked. |
I'll leave this issue open for today incase you find something new, but I'll be closing it by the end of day since it's not a bug |
Any hints about how to get rid of the "minio-1 | ERRO: Calculating checksum failed: open minio: no such file or directory"? |
I don't think it affects the sftp server.. but it's an issue we fixed internally. Just ignore it for now. |
I can get sftp transfers using password authentication to work non-interactively (on latest minio) by explicitly disabling pubkeyauthentication like this: # this used to work for earlier versions of minio server, but not any longer...
$ SSHPASS="minioadmin" sshpass -e sftp -P 8022 minioadmin@127.0.0.1:test <<< 'put sftptest.txt'
Received disconnect from 127.0.0.1 port 8022:2: too many authentication failures
Disconnected from 127.0.0.1 port 8022
Connection closed.
Connection closed
# ... but it works if I explicitly switch off pubkey authentication attempts and forces password authentication only
$ SSHPASS="minioadmin" sshpass -e sftp -P 8022 -o PubkeyAuthentication=no -o PreferredAuthentications=password minioadmin@127.0.0.1:test <<< 'put sftptest.txt'
Connected to 127.0.0.1.
Changing to: /test
sftp> put sftptest.txt
Uploading sftptest.txt to /test/sftptest.txt So it is maybe not a bug but a difference in behavior. I think the "too many authentication failures" comes from sftp/ssh attempting all existing keys on the system before it moves on to password authentication and those keys can be many so it never got all the way to the password authentication step as it was hitting "too many authentication failures". In any case I have a workaround and even if the new behavior is different than before, it does not block me from upgrading to the latest version. |
This seems to be a common configuration issue in core sftp, not much we can do here: https://serverfault.com/questions/36291/how-to-recover-from-too-many-authentication-failures-for-user-root Also, Closing this issue. |
Since this issue is the top result for
|
Than you, our docs team will have a look and potentially update the docs. |
- Adds missing config settings throughout storage class page. Closes #1349 - Adds instructions for adding certificates for connecting by sftp. Closes #1354 - Corrects information about which key to use for self-signed CAs. Closes #1358 - Moves `context` to optional for batch key rotate jobs. Closes #1356 - clean up missing ref links causing build warnings.
This worked with
quay.io/minio/minio:RELEASE.2024-01-16T16-07-38Z
but after upgrade toquay.io/minio/minio:RELEASE.2024-09-22T00-33-43Z
the following message appears when attempting upload of a file to a bucket usingsftp
:Expected Behavior
Same as when using
quay.io/minio/minio:RELEASE.2024-01-16T16-07-38Z
, ie not reporting "ssh: too many authentication failures"Current Behavior
Not possible to upload file using sftp due to "ssh: too many authentication failures". Note that password authentication is used, so we're not attempting to use certificates in line with the new "TrustedCACert"-variant (which honestly in my opinion feels a bit awkward instead of just reading "authorized_keys").
Possible Solution
It looks like the issue has been introduced by any of the PRs related to the "pubkey access" feature , since downgrading to
RELEASE.2024-05-01T01-11-10Z
(the version just before the one with "pubkey access via SFTP") appears to resolve the issue.Steps to Reproduce (for bugs)
quay.io/minio/minio:RELEASE.2024-05-01T01-11-10Z
with password based authentication for SFTP transfers - it worksquay.io/minio/minio:RELEASE.2024-09-22T00-33-43Z
- it doesn't work without "ssh: disconnect, reason 2: too many authentication failures"Context
I am currently stuck at using an earlier version of minio which supports this.
If I upgrade to the latest version, I will run into what looks like a regression starting with versions after the "pubkey access via SFTP"-features were introduced.
Regression
It appears so.
See above.
Your Environment
Containerized minio, information about versions were provided above.
Running on linux.
The text was updated successfully, but these errors were encountered: