Page MenuHomeVyOS Platform
Create Task
Maniphest T1866

Commit archive over SFTP doesn't work with non-standard ports
Closed, ResolvedPublicBUG
Actions

Description

You want VyOS to send a remote backup through SFTP after every commit, so you configure it with

set system config-management commit-archive location sftp://user:password@address:port/directory

The server is a vsftpd on CentOS

When you do

commit

you get the following error:

curl: (51) SSL peer certificate or SSH remote key was not OK

However, if -on same VyOS- you do

sudo sftp -P port user@address

and enter the password when prompted, Then the SFTP session is established without a problem.

@Dmitry found where the problem is and described a workaround:

Edit /opt/vyatta/sbin/vyatta-commit-push.pl
and replace the following line

$cmd = "curl -g -s -S -T $tmp_push_file $uri/$save_file";

with this one

$cmd = "curl -k -g -s -S -T $tmp_push_file $uri/$save_file";

Adding option -k (insecure) allows the connection to be established even though certificates cannot be verified, as in auto-signed certificates, so remote backup can be done through VyOS CLI without the mentioned error.

Details

Version
VyOS 1.2.4
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects
Search...

StatusSubtypeAssignedTask
 In progressFEATURE REQUESTNoneT3355 Remove all remaining legacy Vyatta code
 ResolvedFEATURE REQUESTerkinT3356 Script for remote file transfers
 ResolvedBUGerkinT1866 Commit archive over SFTP doesn't work with non-standard ports

Event Timeline

Unknown Object (User) created this task.Dec 10 2019, 10:46 AM
Unknown Object (User) updated the task description. (Show Details)
Unknown Object (User) updated the task description. (Show Details)Dec 10 2019, 10:54 AM
pasik subscribed.Dec 10 2019, 1:32 PM
Viacheslav subscribed.Dec 27 2019, 8:50 AM
cse342 subscribed.Apr 10 2020, 7:55 PM
cse342 added a comment.Apr 10 2020, 8:07 PM

I did dive a bit deeper in this issue and found another workaround.
It seems to only occur when a sftp or scp host is specified with a different port than the default port.
The command "ssh-keyscan" is provided with the host in form of "hostname:port" which it doesn't resolve to an ssh-rsa key.
ssh-keyscan needs apparently the option "-p PORT" in order to write the host key of the remote sftp/scp server to the known hosts file.
To add a host to the known hosts file I ran the following command:

ssh-keyscan -t ssh-rsa -p SERVERPORT SERVERHOSTNAME > ~/.ssh/known_hosts

After that the remote backups worked flawlessly without editing the system file.
I think in order to fix this issue, the script would need to check if the port is specified in the location-string and then use a different syntax (like above) to write the key of the server to the known_hosts file.

dmbaturin renamed this task from SSH remote key was not OK to Commit archive over SFTP doesn't work with non-standard ports.Jun 18 2020, 10:06 PM
dmbaturin mentioned this in T2615: Provide an explicit option for server fingerprint in commit archive, and make insecure the default.Jun 18 2020, 10:29 PM
dmbaturin assigned this task to erkin.May 29 2021, 7:29 AM
dmbaturin added projects: VyOS 1.3 Equuleus, VyOS 1.4 Sagitta.
erkin closed this task as Resolved.May 30 2021, 9:54 AM

New file transfer script parses the port field in the URL.

erkin added a parent task: T3356: Script for remote file transfers.May 30 2021, 9:54 AM
c-po moved this task from Open to Finished on the VyOS 1.4 Sagitta board.Jun 13 2021, 11:24 AM
Viacheslav mentioned this in T3688: Fail to save configuration via scp/sftp.Jul 16 2021, 4:25 PM
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 6:08 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 6 2021, 11:43 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:16 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.