Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > File Transfer

Reply
 
Thread Tools Display Modes
  #1  
Old 04-29-2015, 04:52 AM
vysh vysh is offline
Registered User
 
Join Date: Oct 2014
Posts: 40
Cannot SFTP to RouterOS (Mikrotik)

Hi!

I am using SecureFX 7.3.3

Whenever I try to SFTP to a RouterOS box (Mikrotik hardware) at some point
the connection just stops. I am attaching a logfile reflecting the issue to this message.

SSH access itself works fine.

Does anyone have any idea of what might be going on?

I tried to contact VanDyke support a couple of months ago but after some vague "we're investigating the issue you're having" haven't heard from them since.
Attached Files
File Type: txt sfx_ros_log.txt (10.1 KB, 966 views)

Last edited by vysh; 04-29-2015 at 04:58 AM.
Reply With Quote
  #2  
Old 04-29-2015, 05:01 PM
Maureen's Avatar
Maureen Maureen is offline
VanDyke Product Director
 
Join Date: Feb 2004
Location: Albuquerque, NM
Posts: 1,612
My apologies that it's taken so long for us to look into this issue. The programmer whose expertise was needed was working on other high-priority issues until recently. He started looking at this today and we should know more about this issue and possibly have a fix for you by next week.

Maureen
Reply With Quote
  #3  
Old 04-30-2015, 02:40 AM
vysh vysh is offline
Registered User
 
Join Date: Oct 2014
Posts: 40
Thanks !

###### (padding for 10 symbols min limit)
Reply With Quote
  #4  
Old 04-30-2015, 12:13 PM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi vysh,

Further investigation into this issue has revealed that there is a bug in the MikroTik RouterOS SSH server.

We have a new build to try and work around the problem with the SSH server.

When we know if the workaround resolves the problem connecting to the broken SSH server, we will post to this thread.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730
Reply With Quote
  #5  
Old 04-30-2015, 01:57 PM
vysh vysh is offline
Registered User
 
Join Date: Oct 2014
Posts: 40
I suspected there was something non-standard on Mikrotik's side, but since one of the more popular opensource SFTP clients which I tried (I tried only one) had no trouble SFTPing to a RouterOS box (and I have to use it now even though I am a licensed user of SecureFX), I also thought there was something on SecureFX's side as well.

Would it be possible for you to share what you find about the nature of the bug so it could be reported to Mikrotik to let them fix it?
Reply With Quote
  #6  
Old 05-01-2015, 08:03 AM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi vysh,

I am happy to provide some information. Here is the malformed packet SecureFX receives from the server:
00 00 00 2c 0d 5e 00 00 00 00 00 00 00 15 00 00 00 11 65 73 2d 6d 75 00 00 00 08 00 00 00 00 00 00 00 00
The data suggests that the server is attempting to send an UNSUPPORTED message (00 00 00 08) in response to SecureFX's STAT/REALPATH request. But, the server supplies an invalid request ID (73 2d 6d 75), in violation of the SFTP protocol. Rather than assume or guess the server's intention, SecureFX terminates the connection.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730

Last edited by rtb; 05-01-2015 at 04:33 PM.
Reply With Quote
  #7  
Old 05-05-2015, 01:10 AM
vysh vysh is offline
Registered User
 
Join Date: Oct 2014
Posts: 40
I emailed Mikrotik's support with the information rtb kindly provided.

They are rumored to be slow, so I doubt they will fix it quick if at all.
Reply With Quote
  #8  
Old 04-19-2016, 11:24 AM
vysh vysh is offline
Registered User
 
Join Date: Oct 2014
Posts: 40
Sorry for the gravedigging, upgraded to 8.0 this morning.

From the SecureFX 8.0 changelog:

Quote:
Bugfixes:
- SFTP: SecureFX did not work with MikroTik routers running RouterOS.
I am afraid the problem still persists in 8.0. A connection attempt to a RouterOS box is only successful when you set "Disable Initial SFTP Extensions" to "1" in the .ini file.

With the default settings the connection just terminates after the auth stage on the STAT command.

For now I just edited the default.ini to "Disable Initial SFTP Extensions" set to "00000001".

The question is, will it somehow affect other SSH servers (like OpenSSH) in a negative way? What are these "Initial SFTP extensions" anyway?
Reply With Quote
  #9  
Old 04-19-2016, 01:22 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,098
Quote:
Originally Posted by vysh View Post
I am afraid the problem still persists in 8.0. A connection attempt to a RouterOS box is only successful when you set "Disable Initial SFTP Extensions" to "1" in the .ini file...For now I just edited the default.ini to "Disable Initial SFTP Extensions" set to "00000001".
At the time you reported the issues you were having when attempting to connect to the microtik server using SFTP in SecureFX, there were two problems discovered:
1) Microtik server wasn't handling initial SFTP extensions, and was replying with a message sequence that violates the SSH2 protocol, resulting in a disconnect.
2) Microtik server wasn't sending the right message code for when a STAT request was made. The server was sending a generic message with a field that had text specific to the situation, instead of sending a specific message that is more commonly used in that specific scenario.

At the time, resolved #1 by setting the "Disable Initial SFTP Extensions" ini file option to 1, instructing SecureFX to *not* send any SFTP extension requests.

#2 was resolved in two ways... first, we (VanDyke) created a workaround and implemented a translation to handle the generic message sent by the Microtik server. Second Microtik contacted you and said, "we will report correct code (2) when on these errors in the future"... indicating that they were making a code change to their SFTP server to send the more correct code.

Quote:
Originally Posted by vysh View Post
The question is, will it somehow affect other SSH servers (like OpenSSH) in a negative way? What are these "Initial SFTP extensions" anyway?
The SFTP protocol doesn't do everything everyone would ever want to do. The authors of the protocol specification took this under consideration and allowed for implementations to "extend" the protocol to meet their specific needs. Hence, SFTP Extensions were born and provide value in SFTP communications between clients and servers that support common/known extensions (some of which are documented and others known only to their respective implementers).

When an SSH2 client has completed the authentication process to an SSH2 server, it can begin to ask for subsystems or services to be started. SFTP is a subsystem of the SSH2 protocol so an SFTP client first does SSH2 protocol negotiation, authenticates, and then asks the server to start up SFTP on its behalf.

When the SFTP subsystem is initialized, the SFTP protocol version is negotiated, and then extension requests are sent from the client to the server. Here's how SFTP clients are to format this request to the server (according the v3 of the SFTP protocol specification found here):
Code:
8. Vendor-Specific Extensions
   The SSH_FXP_EXTENDED request provides a generic extension mechanism
   for adding vendor-specific commands.  The request has the following
   format:

        uint32     id
        string     extended-request
        ... any request-specific data ...

   where `id' is the request identifier, and `extended-request' is a
   string of the format "name@domain", where domain is an internet
   domain name of the vendor defining the request.  The rest of the
   request is completely vendor-specific, and servers should only
   attempt to interpret it if they recognize the `extended-request'
   name.

   The server may respond to such requests using any of the response
   packets defined in Section ``Responses from the Server to the
   Client''.  Additionally, the server may also respond with a
   SSH_FXP_EXTENDED_REPLY packet, as defined below.  If the server does
   not recognize the `extended-request' name, then the server MUST
   respond with SSH_FXP_STATUS with error/status set to
   SSH_FX_OP_UNSUPPORTED.
In the case of the Microtik server specific to your scenario, SecureFX sends two extension packets to the server, with request IDs of 0 and 1, respectively.
The Microtik server replies with an "unsupported" message in reply to ID #0, but then the Microtik server replies with a message indicating a request ID of 1932356981. This is unknown as an ID to SecureFX (ID #1 is the only remaining ID outstanding), so SecureFX has to shut down the connection.

Disabling the initial SFTP extensions in SecureFX will not likely cause problems with other SFTP servers. It's not a requirement for a client to request any extensions, so if a client doesn't request them, it shouldn't be a big deal. And, at least in your case with this specific server, it helps work around a problem with this specific server.

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #10  
Old 04-20-2016, 02:37 AM
vysh vysh is offline
Registered User
 
Join Date: Oct 2014
Posts: 40
Thank you for the detailed answer, jdev. It makes perfect sense. I was just hoping you guys would implement a workaround for the buggy server (as you did for Cisco's incorrect SFTP version reporting), for example, ignoring the incorrect RequestID sent by RouterOS. Apparently WinSCP (which is based on putty) does not have any problems connecting to RouterOS. And I would hate to run it just for that purpose alone.
Reply With Quote
  #11  
Old 04-20-2016, 11:29 AM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,098
Quote:
Originally Posted by vysh View Post
Thank you for the detailed answer, jdev. It makes perfect sense. I was just hoping you guys would implement a workaround for the buggy server (as you did for Cisco's incorrect SFTP version reporting), for example, ignoring the incorrect RequestID sent by RouterOS. Apparently WinSCP (which is based on putty) does not have any problems connecting to RouterOS. And I would hate to run it just for that purpose alone.
I thought the .ini file option was the workaround you were using.

Did I misunderstand your earlier post in which you said that the option works as a way to allow you to connect to RouterOS?

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #12  
Old 04-21-2016, 04:46 AM
vysh vysh is offline
Registered User
 
Join Date: Oct 2014
Posts: 40
Quote:
Originally Posted by jdev View Post
I thought the .ini file option was the workaround you were using.

Did I misunderstand your earlier post in which you said that the option works as a way to allow you to connect to RouterOS?

--Jake
It does work, I set it in default.ini and I now can SFTP to RouterOS without any issues. I just don't like it when I have to potentially cripple my other devices by disabling SFTP extensions altogether.. Well, I think I can live with that until at least Mikrotik find the time to fix the problem on their side.
Reply With Quote
  #13  
Old 04-21-2016, 10:03 AM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,098
Quote:
Originally Posted by vysh View Post
It does work, I set it in default.ini and I now can SFTP to RouterOS without any issues. I just don't like it when I have to potentially cripple my other devices by disabling SFTP extensions altogether.. Well, I think I can live with that until at least Mikrotik find the time to fix the problem on their side.
Thanks for confirming that the fix works for you. I thought I might have misunderstood your earlier statement.

I've created a feature request for automatically handling compatibility issues with this specific SFTP server and we'll post here if such an automation convenience is implemented.

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #14  
Old 08-08-2016, 05:06 AM
vysh vysh is offline
Registered User
 
Join Date: Oct 2014
Posts: 40
Just dropped by to tell you guys who's been interested to see this issue resolved.

As of version 6.34.6 (current bugfix branch) RouterOS no longer exhibits this glitch and lets you connect fine using SFTP without setting "Disable initial SFTP Extensions" to "1" in the session's ini file.

It was a huge nuisance, phew, glad it's been fixed.
Reply With Quote
  #15  
Old 08-08-2016, 09:15 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,635
Hi vysh,

Thanks for posting the update!
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 06:23 AM.