Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re^3: Preferred authentication in Net::SFTP::Foreign

by salva (Canon)
on Feb 10, 2016 at 09:00 UTC ( [id://1154820]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Preferred authentication in Net::SFTP::Foreign
in thread Preferred authentication in Net::SFTP::Foreign

This is handled correctly by SFTP without any special commands or configuration.
Yes, except for the case where you want the password passed automatically, right?
Could you please share what exactly was being addressed by the override

As I toll you in my previous post, PreferredAuthentications is overriden in order to have a more controlled authentication process. Once ssh is launched there is no generic, reliable way to detect that authentication has succeeded and that the SFTP protocol can go on.

For instance, one case that we have to handle is when the user wants to perform password authentication but for some reason it has also a proper authorized key. With the default PreferredAuthentication, ssh authenticates using the key and never goes to request the password, while Net::SFTP::Foreign hangs there waiting for the password prompt to appear.

For your particular case, if you just use a convenient value for PreferredAuthentication, doesn't it work? For instance:

my $sftp = Net::SFTP::Foreign->new($host, user => $user, password => $passwor +d, more => [-o => 'PreferredAuthentica +tion=publickey,password']);

In any case, note that if you pass a password to the constructor it will wait for the password prompt to appear, and if it authenticates by other method it will hang there until the timeout expires and then it will close the connection and return an error.

If what you need is optional password authentication, it is better to go looking into my other module Net::OpenSSH (which can be used with Net::SFTP::Foreign). It doesn't support that feature yet, but it could be done reliably there.

Replies are listed 'Best First'.
Re^4: Preferred authentication in Net::SFTP::Foreign
by mithunbh (Novice) on Feb 11, 2016 at 00:03 UTC
    I probably don't understand the nuances of ssh with sftp subsystem vs the sftp command but it seems to me that the sftp command somehow knows what needs to happen irrespective of us passing the password automatically or not. It knows when Authentication is complete and when it isn't since it knows when to wait and when to provide a working prompt to the user.

    I can't hardcode the PreferredAuthentication since it is host specific and we do have a properly configured .ssh/config file with the appropriate Host specific overrides. It seems to me to get my setup working I will have to read the config file and figure out what the PreferredAuthentication is supposed to be for each Host which somehow feels like a wrong thing to do.

    At this point I have no intention of using the password option since keyboard-interactive + publickey seems to cover every scenario that I am encountering - I will see how it goes by using a Unix.pm without the PreferredAuthentication override.
      I can't hardcode the PreferredAuthentication since it is host specific and we do have a properly configured .ssh/config file with the appropriate Host specific overrides.

      PreferredAuthentication is usually quite unimportant, as long as you include all the authentication schemes that could be required by the server it should work. There is no need to match exactly the server configuration there.

      What do you get from the following command?

      grep -i preferredauthentications ~/.ssh/config | sort -u

      For Net::SFTP::Foreign, the important thing is knowing which servers require password authentication and which one don't.

        $ grep -i preferredauthentications ~/.ssh/config | sort -u PreferredAuthentications password PreferredAuthentications publickey,keyboard-interactive,password
        More importantly this is the current distribution with a global setting and multiple Host entries with overrides
        $ grep PreferredAuthentications ~/.ssh/config PreferredAuthentications publickey,keyboard-interactive,password PreferredAuthentications password PreferredAuthentications password
        Agreed it is important to know who needs password and who doesn't and for a really short test period it doesn't seem to have impacted us by removing the PreferredAuthentications override - ssh does seem to honor what is in the config file. Maybe something has changed over time and this functionality might have become redundant - is this something which can be retested ?

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1154820]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (4)
As of 2024-03-29 08:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found