-
Notifications
You must be signed in to change notification settings - Fork 526
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hitting error -44 "Unable to ask for ssh-userauth service" with mbedtls #793
Comments
There is one place -44 is returned and that is from |
I'm adding some end-to-end data transfer tests in PR#807 and the CI tests are showing all the following crypt methods failing with this error for MbedTLS:
|
@green-nsk Is this happening with mbedTLS 2.x or 3.x? |
@vszakats it's 2.28.0 (built-in Julia one) |
I believe I have a similar (related) issue, also with a server over which I have no control. When the client (libssh2) requests the userauth service the reply packet is apparently mangled. In session.c at libssh2_NB_state_sent4 it calls The server works fine with OpenSSH (I debugged down there and it gets a reasonable packet). It's a server from a large transport company, so I guess I could share the name for debugging or do some other debugging tasks myself. |
Upon further debugging, it appears that the remote server does not like the random padding (or libssh2 is doing something wrong with the random pad). Not sure what is going wrong there exactly (my understanding of the protocol at that level is woefully inadequate), but the "ssh-userauth" request is the first that is encrypted outgoing packet and the reply is the first encrypted received packet. With random padding enabled, it seems the two sides get out of sync (differing on the sent packet), so the received packet is decrypted incorrectly. The "fun" thing is, at least as far as I can tell, is that RANDOM_PADDING isn't set in the libssh2 itself. But in my case the source picked up the definition from a windows header (WinCrypt.h) so I'd say it got accidentally enabled. I'll file that as a bug separately and let the upper echelons decide if that was intended or not. |
@Markus-Schmidt: can you confirm that patch #921 fixed this issue? |
@vszakats: It does fix my version of the issue, but I'm not sure if it the same issue the original poster @green-nsk had. (I had initially thought these may be similar issues, so I first posted here, before opening another bug #921 after further debugging). But I guess the question here is more if the patch fixes the original reporter's @green-nsk issue (for example he mentions an Ubuntu in his report, so he may be affected by something else). |
Thanks @Markus-Schmidt. Our CI still fails, so there seems to be something else at play here: https://github.com/libssh2/libssh2/actions/runs/4709502488/jobs/8352601338?pr=969#step:7:1091 |
Describe the bug
When downloading from SFTP via libcurl, I am hitting error code -44 with description "Unable to ask for ssh-userauth service". This happens for one particular SFTP server, and others work fine.
To Reproduce
I think it has to do with server using aes256-cbc algorithm. As I have no control over the server, I'm trying to verify that assumption by changing advertised set of Ciphers on my side.
Expected behavior
I would like it to work :-D
Version (please complete the following information):
Additional context
It seems to fail to send encrypt the message before sending it. Relevant code here and here.
I have found a similar issue here which was resolved by fixing how openssl functions called here. I assume this might be a similar issue with mbedtls, but I'd be hard pressed to find out exactly what's wrong.
The text was updated successfully, but these errors were encountered: