https://bugs.kde.org/show_bug.cgi?id=513949
Bug ID: 513949
Summary: KDEConnect - sshfs finished with exit code 1 (due to
too many pubkeys)
Classification: Applications
Product: kdeconnect
Version First 25.12.0
Reported In:
Platform: Manjaro
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: common
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: ---
I am creating a new bug instead of necroing #406978 because it is so old that I
completely forgot about it before starting the bug report flow and had to
rediscover the issue and re-debug it again.
---
SUMMARY
Having more than 19 (=20-1) SSH keys loaded in one's SSH key agent leads to a
failure of the "Browse this device" action in Plasma (dolphin). It seems the
desktop client does not exclude implicitly loaded keys while the Android app
treats all those irrelevant keys as unsuccessful authentication attempts and
gives up after 20 failures, meaning the correct identity is never even tried.
STEPS TO REPRODUCE
1. Install Android (GrapheneOS on Pixel 6a) app v=1.34.4 from GPlay OR F-Droid
2. Optionally purge Plasma config
3. Pair with Kdeconnect on Plasma
4. Configure 'Filesystem access' plugin by assigning 'All files access' special
permission in Android
5. Have more than 19 SSH keys loaded in the SSH agent on the Plasma machine
6. Try browsing the remote filesystem
OBSERVED RESULT
"Error when accessing filesystem. sshfs finished with exit code 1"
and
"The file or folder
/run/user/1000/6f73818c8f294cc59fc7bf1c6d387b75/storage/emulated/0 does not
exist."
EXPECTED RESULT
It should just work™️ regardless of the contents of my ~/.ssh or other local
configuration
SOFTWARE/OS VERSIONS
Linux/KDE Plasma:
KDE Plasma Version: 6.5.4-1 (X11)
KDE Frameworks Version: 6.21.0-1
Qt Version: 6.10.1-1
ADDITIONAL INFORMATION
$ journalctl
```
systemd[1]: run-user-1000-6f73818c8f294cc59fc7bf1c6d387b75.mount: Deactivated
successfully.
kdeconnectd[581330]: "Pixel 6a" : "Error when accessing filesystem. sshfs
finished with exit code 1"
kdeconnectd[590503]: /usr/bin/fusermount: entry for
/run/user/1000/6f73818c8f294cc59fc7bf1c6d387b75 not found in /etc/mtab
systemd[1]: run-user-1000-6f73818c8f294cc59fc7bf1c6d387b75.mount: Deactivated
successfully.
kdeconnectd[581330]: "Pixel 6a" : "Error when accessing filesystem. sshfs
finished with exit code 1"
kdeconnectd[590522]: /usr/bin/fusermount: entry for
/run/user/1000/6f73818c8f294cc59fc7bf1c6d387b75 not found in /etc/mtab
kdeconnectd[581330]: Failed to notify "Created too many similar notifications
in quick succession"
kdeconnectd[581330]: "Pixel 6a" : "Error when accessing filesystem. sshfs
finished with exit code 1"
kdeconnectd[590531]: /usr/bin/fusermount: entry for
/run/user/1000/6f73818c8f294cc59fc7bf1c6d387b75 not found in /etc/mtab
<MESSAGES REPEAT>
```
$ adb logcat
```
I KDE/LanLinkProvider: Broadcast identity packet received from my-laptop
I KDE/LanLinkProvider: Starting SSL handshake with my-laptop trusted:true
D LanLinkProvider: Starting handshake
D LanLinkProvider: Handshake done
I KDE/LanLinkProvider: Handshake as server successful with my-laptop secured
with TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
D KDE/LanLinkProvider: Creating a new link for device
73ca88c0bbb84996bd1f038037fcdb95
I Device : my-laptop: reloading plugins
D KDE/addPlugin: Permissions OK BatteryPlugin
D KDE/addPlugin: Optional Permissions OK BatteryPlugin
D KDE/addPlugin: Permissions OK ClipboardPlugin
D KDE/addPlugin: Optional Permissions OK ClipboardPlugin
D KDE/addPlugin: No permission ConnectivityReportPlugin
D KDE/addPlugin: No permission ContactsPlugin
D KDE/addPlugin: Permissions OK FindMyPhonePlugin
D KDE/addPlugin: Optional Permissions OK FindMyPhonePlugin
D KDE/addPlugin: Permissions OK FindRemoteDevicePlugin
D KDE/addPlugin: Optional Permissions OK FindRemoteDevicePlugin
D KDE/addPlugin: Permissions OK MousePadPlugin
D KDE/addPlugin: Optional Permissions OK MousePadPlugin
D KDE/addPlugin: No permission MouseReceiverPlugin
D KDE/addPlugin: Permissions OK MprisPlugin
D KDE/addPlugin: Optional Permissions OK MprisPlugin
D KDE/addPlugin: No permission MprisReceiverPlugin
D KDE/addPlugin: No permission NotificationsPlugin
D KDE/addPlugin: Permissions OK PingPlugin
D KDE/addPlugin: Optional Permissions OK PingPlugin
D KDE/addPlugin: Permissions OK PresenterPlugin
D KDE/addPlugin: Optional Permissions OK PresenterPlugin
D KDE/addPlugin: No permission RemoteKeyboardPlugin
D KDE/addPlugin: Permissions OK RunCommandPlugin
D KDE/addPlugin: Optional Permissions OK RunCommandPlugin
D KDE/addPlugin: No permission SMSPlugin
D KDE/addPlugin: Permissions OK SftpPlugin
D KDE/addPlugin: Optional Permissions OK SftpPlugin
D KDE/addPlugin: Permissions OK SharePlugin
D KDE/addPlugin: Optional Permissions OK SharePlugin
D KDE/addPlugin: Permissions OK SystemVolumePlugin
D KDE/addPlugin: Optional Permissions OK SystemVolumePlugin
D KDE/addPlugin: No permission TelephonyPlugin
I MainActivity: Device list changed, notifying 1 observers.
W Device : Ignoring packet with type
kdeconnect.contacts.request_all_uids_timestamps because no plugin can handle it
W Device : Ignoring packet with type kdeconnect.notification.request because
no plugin can handle it
W KDEConnect:ServerUserAuthService:
handleUserAuthRequestMessage(ServerSessionImpl[null@/192.168.1.181:57504])
Failed (SshException) to authenticate using factory method=publickey: EdDSA
provider not supported
W KDEConnect:ServerUserAuthService:
handleUserAuthRequestMessage(ServerSessionImpl[null@/192.168.1.181:57504])
Failed (SshException) to authenticate using factory method=publickey: EdDSA
provider not supported
W KDEConnect:ServerUserAuthService:
handleUserAuthRequestMessage(ServerSessionImpl[null@/192.168.1.181:57504])
Failed (SshException) to authenticate using factory method=publickey: EdDSA
provider not supported
W KDEConnect:ServerUserAuthService:
handleUserAuthRequestMessage(ServerSessionImpl[null@/192.168.1.181:57504])
Failed (SshException) to authenticate using factory method=publickey: EdDSA
provider not supported
W KDEConnect:ServerUserAuthService:
handleUserAuthRequestMessage(ServerSessionImpl[null@/192.168.1.181:57504])
Failed (SshException) to authenticate using factory method=publickey: EdDSA
provider not supported
W KDEConnect:ServerUserAuthService:
handleUserAuthRequestMessage(ServerSessionImpl[null@/192.168.1.181:57504])
Failed (SshException) to authenticate using factory method=publickey: EdDSA
provider not supported
I KDEConnect:ServerSessionImpl:
Disconnecting(ServerSessionImpl[null@/192.168.1.181:57504]):
SSH2_DISCONNECT_PROTOCOL_ERROR - Too many authentication failures: 21
<MESSAGES REPEAT>
```
---
DEBUGGING
$ ls -l ~/.ssh/*.pub | wc -l
24
$ sftp -v -v -P 1739 -F /dev/null -o UserKnownHostsFile=/dev/null -o
IdentityFile=~/.config/kdeconnect/privateKey.pem
[email protected]:/storage/emulated/0/
```
<SNIP>
debug1: Authentications that can continue:
password,keyboard-interactive,publickey
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 24 keys
debug1: Will attempt key: <CENSORED>
<CENSORED x 19>
debug1: Will attempt key: admin@nexus RSA SHA256:<CENSORED> agent
<CENSORED x 3>
debug1: Will attempt key: /home/<CENSORED>/.config/kdeconnect/privateKey.pem
explicit
debug2: pubkey_prepare: done
debug1: Offering public key: <CENSORED> agent
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
password,keyboard-interactive,publickey
<CENSORED x 19>
debug1: Offering public key: admin@nexus RSA SHA256:<CENSORED> agent
debug2: we sent a publickey packet, wait for reply
Received disconnect from 192.168.1.171 port 1739:2: Protocol error or corrupt
packet
Disconnected from 192.168.1.171 port 1739
<i.e. /home/<CENSORED>/.config/kdeconnect/privateKey.pem was NOT USED>
```
=> FAILURE
$ sftp -v -v -P 1739 -F /dev/null -o UserKnownHostsFile=/dev/null -o
IdentityFile=~/.config/kdeconnect/privateKey.pem -o IdentitiesOnly=yes
[email protected]:/storage/emulated/0/
```
<SNIP>
debug1: Authentications that can continue:
password,keyboard-interactive,publickey
debug1: Next authentication method: publickey
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 24 keys
debug1: Will attempt key: /home/<CENSORED>/.config/kdeconnect/privateKey.pem
explicit
debug2: pubkey_prepare: done
debug1: Trying private key: /home/<CENSORED>/.config/kdeconnect/privateKey.pem
debug2: we sent a publickey packet, wait for reply
Authenticated to 192.168.1.171 ([192.168.1.171]:1739) using "publickey".
<SNIP>
Connected to 192.168.1.171.
debug2: Sending SSH2_FXP_REALPATH "."
debug2: Sending SSH2_FXP_STAT "/storage/emulated/0/"
Changing to: /storage/emulated/0/
debug2: Sending SSH2_FXP_REALPATH "/storage/emulated/0/"
debug2: Sending SSH2_FXP_STAT "/storage/emulated/0"
sftp>
```
=> SUCCESS
```
$ mv ~/.ssh ~/.ssh.bak
$ install -d -m700 ~/.ssh
$ cp ~/.ssh.bak/config ~/.ssh/
$ sftp -v -v -P 1739 -o UserKnownHostsFile=/dev/null -o
IdentityFile=~/.config/kdeconnect/privateKey.pem
[email protected]:/storage/emulated/0/
```
=> SUCCESS
$ rm -rf ~/.ssh.bak
$ mv ~/.ssh.bak ~/.ssh
$ echo -e 'Host 192.168.1.171\n\tIdentitiesOnly yes' >> ~/.ssh/config
$ sftp -v -v -P 1739 -o UserKnownHostsFile=/dev/null -o
IdentityFile=~/.config/kdeconnect/privateKey.pem
[email protected]:/storage/emulated/0/
=> SUCCESS
Trying the Plasma app => FAILURE
$ while true; do ps aux | grep 'kdeconnect/privateKey.pem'; done
=>
ssh -x -a -oClearAllForwardings=yes -oPort=1739 -F/dev/null
-oIdentityFile=/home/<CENSORED>/.config/kdeconnect/privateKey.pem
-oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null
-oServerAliveInterval=30 -oNumberOfPasswordPrompts=1 -2
[email protected] -s sftp
CONCLUSION
`IdentitiesOnly=yes` SSH option is ESSENTIAL for this plugin to be usable.
Since you are doing `-F/dev/null` however, THERE IS NO EVIDENT WAY for a user
to control SSH options you are passing. Not that it would be sustainable anyway
as you are connecting via IP address which is likely to change often and
randomly.
PROPOSALS
1. Use IdentitiesOnly=yes
2. Add plugin configuration section for other SSH options to future-proof the
plugin.
--
You are receiving this mail because:
You are watching all bug changes.
