EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Authentication issues

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#16936
Posted: 07/04/2011 03:43:47
by Ahmed Ilyas (Basic support level)
Joined: 06/21/2011
Posts: 3

Hi.
I am using the Eldos component for SFTP. And developing in .NET

I see that the example provided is all async based.
I also understand there are Sync methods however the behavior is kind of unpredicatable and for me does not seem to be "true" synchronous.

so what I have done is that I have used the async methods, and subscribing to event handlers etc... and using the ManualResetEvents for thread signalling.

Whilst I can connect, authenticate, execute commands etc... there seems to be a problem during authentication.


We are using a public/private key authentication along with username and pass. We are hoping the server we are connecting to (not ours) uses the same auth methods but for sure, we have a username, pass and key which were supplied to us.

Now, from what I understand, the SFTPClient.OnOpenConnection happens when all authentication negotiation has been completed. is this correct? Does this include failure of authentication or just success?

Now in here, I have placed a Set() for a ResetEvent to indicate authentication has succeeded. This works of course. But I do see that the first time it tries to negotiate, that it fails authentication but then continues to succeed. I see this from subscribing to the event handlers for SSHClient_OnAuthenticationSuccess and SSHClient_OnAuthenticationFailure.


here is my code for authentication/connecting. it seems to work but at times, during an automated system of connecting, authentication and downloading files, it seems to fail around the 2/3rd time when the job is running to try and connect.

Code
Dim eldosConnectedResult As Boolean = Me.m_EldosFTPClient.Connect(toHost, port)

if eldosConnectedResult then
   Dim authenticated As Boolean = Me.m_EldosFTPClient.DoAuthenticate()
end if


simple. The username/pass/key are read from a config file and passed into my EldosFTPClient class when constructing.

here is the DoAuthenticate method:

Code
Me.mSSHClient = New TElSSHClient()
            'Me.DoSetupSFTPClient()
            Me.mSSHTunnelList = New TElSSHTunnelList()
            Me.mSFTPTunnel = New TElSubsystemSSHTunnel()
            Me.mSFTPTunnel.TunnelList = Me.mSSHTunnelList
            Me.mSSHClient.TunnelList = Me.mSSHTunnelList
            Me.mSFTPClient.Tunnel = Me.mSFTPTunnel
            'Me.mSFTPClient.Tunnel = New TElSubsystemSSHTunnel()
            'Me.mSSHClient.TunnelList = New TElSSHTunnelList()
            Me.mSSHClient.AuthAttempts = 2
            Me.mSSHClient.AuthenticationTypes = 22
            Me.mSSHClient.Versions = SBSSHCommon.Unit.sbSSH2
            Me.mAuthenticateResetEvent = New ManualResetEventSlim(False)

            Me.DoSubscribeSSHHandlers()

            Dim key As New TElSSHKey()
            Dim privateKeyAdded As Boolean

            If Not String.IsNullOrWhiteSpace(Me.mPrivateKeyFile) Or Not String.IsNullOrEmpty(Me.mPrivateKeyFile) Then
                Logger.LogMessage("Private key found")
                Me.DoEnableEldos()
                Logger.LogMessage("Loading Private Key")
                Dim err As Integer = key.LoadPrivateKey(Me.mPrivateKeyFile, Me.mPrivateKeyFilePassword) ' Me.mPass)
                Me.mErrorState = Me.GetErrorState(err)
                If err = 0 Then
                    Logger.LogMessage("Clearing key items")
                    Me.mKeyStorage.Clear()
                    Logger.LogMessage("Adding key into keystorage")
                    Me.mKeyStorage.Add(key)
                    Me.mSSHClient.AuthenticationTypes = Me.mSSHClient.AuthenticationTypes Or SBSSHConstants.Unit.SSH_AUTH_TYPE_PUBLICKEY
                    privateKeyAdded = True
                End If
            End If

            If Not privateKeyAdded Then
                Me.mSSHClient.AuthenticationTypes = Me.mSSHClient.AuthenticationTypes And Not (SBSSHConstants.Unit.SSH_AUTH_TYPE_PUBLICKEY)
            End If

            Logger.LogMessage("Beginning to authenticate...")
            Me.mSSHClient.KeyStorage = Me.mKeyStorage
            Me.mSSHClient.UserName = Me.mUsername
            Logger.LogMessage(String.Format("Username: {0}", New Object() {Me.mSSHClient.UserName}))
            Me.mSSHClient.Password = Me.mPass
            Logger.LogMessage(String.Format("pass: {0}", New Object() {Me.mSSHClient.Password}))
            Logger.LogMessage("Opening SSHClient...")
            Me.mSSHClient.Open()
            Logger.LogMessage("Setting up socket for BeginReceive...")
            Me.ClientSocket.BeginReceive(Me.mReceiveBuff, 0, Me.mReceiveBuff.Length, 0, New AsyncCallback(AddressOf Me.OnSocketReceiveCallback), Me.ClientSocket)

            Logger.LogMessage("Waiting for authentication process to complete...")
            Dim result As Boolean = Me.mAuthenticateResetEvent.Wait(New TimeSpan(0, 0, 10))

            If Not result Then
                Me.LastErrorState = ErrorState.Timeout '.AuthenticationFailed
                Logger.LogMessage("Authentication Timeout")
                Me.mIsConnected = False
                RaiseEvent OnEventEldosAuthenticationError("Authentication Timeout")
            Else
                result = Me.mIsAuthenticated
                Logger.LogMessage("Sorry.... not authenticated? Throwing exception....")
                If Not Me.mIsAuthenticated Then
                    Me.mIsConnected = False
                    Throw New AuthenticationException("Authentication Failed. Check creds please")
                End If
            End If

            Return result



Now, I do get the "Sorry...not authenticated?" message but then I see the next line that it succeeds even though Me.mIsAuthenticated is false the previous line. Seems like some timing issue somewhere.

any ideas?

here is a log of whats happening:

Quote

04/07/2011 09:28:00 - Connecting...

04/07/2011 09:28:00 - Closing Connection as connection is opened

04/07/2011 09:28:00 - Private key specified in client configuration...

04/07/2011 09:28:00 - Connecting...

04/07/2011 09:28:00 - Waiting to connect...

04/07/2011 09:28:00 - Connected. Now Calling DoAuthenticate()....

04/07/2011 09:28:00 - Private key found

04/07/2011 09:28:00 - Loading Private Key

04/07/2011 09:28:00 - Clearing key items

04/07/2011 09:28:00 - Adding key into keystorage

04/07/2011 09:28:00 - Beginning to authenticate...

04/07/2011 09:28:00 - Username: ****

04/07/2011 09:28:00 - pass: ****

04/07/2011 09:28:00 - Opening SSHClient...

04/07/2011 09:28:00 - Setting up socket for BeginReceive...

04/07/2011 09:28:00 - Waiting for authentication process to complete...

04/07/2011 09:28:00 - Server key received

04/07/2011 09:28:00 - SSH Authentication Failed: 2

04/07/2011 09:28:00 - SSHClient - Authentication Success

04/07/2011 09:28:01 - SSHClient OpenConnection

04/07/2011 09:28:01 - SFTPClient_OnOpenConnection fired

04/07/2011 09:28:01 - Sorry.... not authenticated? Throwing exception....

04/07/2011 09:28:01 - Connected? True. Authenticated? True

04/07/2011 09:28:01 - Connected result: True. FTPClient.ConnState: Connected
04/07/2011 09:28:01 - Obtaining list of files from 'xxxx'



I just dont understand:

1) why does it fail authentication the first time round but then succeeds itself?
2) why does it say that its about to throw the exception... when it succeeds from the second check?

Some events:

Code

Private Sub SftpClient_OnOpenConnection(ByVal sender As Object)

            Me.mIsConnected = True
            Logger.LogMessage("SFTPClient_OnOpenConnection fired")
            Me.mAuthenticateResetEvent.Set()

        End Sub

Public Sub SSHClient_OnOpenConnection(ByVal sender As Object)

            Me.IsConnected = True
            Logger.LogMessage("SSHClient OpenConnection")


        End Sub

Public Sub SSHClient_AuthenticationFailed(ByVal sender As Object, ByVal authenticationType As Integer)


            Logger.LogMessage(String.Format("SSH Authentication Failed: {0}", authenticationType))
            Me.IsAuthenticated = False
            Me.LastErrorState = ErrorState.AuthenticationFailed

        End Sub

Public Sub SSHClient_OnAuthenticationSuccess(ByVal sender As Object)

            Me.IsAuthenticated = True
            Me.IsConnected = True
            Me.LastErrorState = ErrorState.Success
            Logger.LogMessage("SSHClient - Authentication Success")
            Me.mSSHClient.TunnelList = Me.mSSHTunnelList


        End Sub


I know, not the best code but trying to make it Sync rather than async but this should be as close to making it sync as possible.

it is being put into an automated Windows Service so really, guarentee must be essential. Like I said, when it runs its great but then after the 2/3rd run it seems to fail at authenticating for some reason.
#16937
Posted: 07/04/2011 04:07:06
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Quote
Now, from what I understand, the SFTPClient.OnOpenConnection happens when all authentication negotiation has been completed. is this correct? Does this include failure of authentication or just success?

This event is fired by TElSftpClient when the negotiation is successfully completed. After this event is fired the file operations may be performed. It is not fired if authentication failed.

Quote
Now in here, I have placed a Set() for a ResetEvent to indicate authentication has succeeded. This works of course. But I do see that the first time it tries to negotiate, that it fails authentication but then continues to succeed. I see this from subscribing to the event handlers for SSHClient_OnAuthenticationSuccess and SSHClient_OnAuthenticationFailure.

Quote
why does it fail authentication the first time round but then succeeds itself?

OnAuthenticationFailure event is fired when the single authentication attempt is failed. As SSH may try a number of authentication attempts of different types or with different parameters (as public keys), during one session, this event may be not critical and may not lead to the closing of the connection.

ElSSHClient fires OnAuthenticationSuccess when the authentication process is completed successfully. This event might be preceded by a couple of OnAuthenticationFailed events.

JFYI: we have a synchronous implementation of SFTP client: TElSimpleSftpClient.
#16938
Posted: 07/04/2011 04:23:39
by Ahmed Ilyas (Basic support level)
Joined: 06/21/2011
Posts: 3

Many thanks for the speedy response.

The reason I did not use the Sync version of your component is because there didnt seem to be an example of using it and just by going through the methods, I cannot see anything where I can get a directory listing or to download a file. It could just be the naming convention, im not sure. Even if I were to use the sync methods you supply, I cannot seem to find a way to authenticate? It is presently a little too late down the line for me to change the methods :-)

Hmm. its a little unfortunate about the way the events happen. I mean for example, how do you determine if it is an utter failure in authentication? (username/pass/key was completely invalid)

I guess from what you said that the OnOpenConnection event, I would need to set my Authenticated and Connected flags both to true than just the Connected flag. Correct?
#16939
Posted: 07/04/2011 04:37:44
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
The reason I did not use the Sync version of your component is because there didnt seem to be an example of using it and just by going through the methods...

The sample is located in \EldoS\SecureBlackbox.NET\Samples\C#\SFTPBlackbox\Client\SimpleSFTPClient folder.

Quote
Hmm. its a little unfortunate about the way the events happen. I mean for example, how do you determine if it is an utter failure in authentication? (username/pass/key was completely invalid)

You can determine it using ElSSHClient.OnError event. It will be fired with ErrorCode = SBSSHConstants.Unit.ERROR_SSH_NO_MORE_AUTH_METHODS_AVAILABLE.

Quote
I guess from what you said that the OnOpenConnection event, I would need to set my Authenticated and Connected flags both to true than just the Connected flag. Correct?

Yes.
#16940
Posted: 07/04/2011 04:44:09
by Ahmed Ilyas (Basic support level)
Joined: 06/21/2011
Posts: 3

Many thanks my friend!
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1362 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!