Page MenuHomeVyOS Platform

Commit archive over SFTP doesn't work with non-standard ports
Open, Requires assessmentPublicBUG

Description

You want VyOS to send a remote backup through SFTP after every commit, so you configure it with

set system config-management commit-archive location sftp://user:password@address:port/directory

The server is a vsftpd on CentOS

When you do

commit

you get the following error:

curl: (51) SSL peer certificate or SSH remote key was not OK

However, if -on same VyOS- you do

sudo sftp -P port user@address

and enter the password when prompted, Then the SFTP session is established without a problem.

@Dmitry found where the problem is and described a workaround:

Edit /opt/vyatta/sbin/vyatta-commit-push.pl
and replace the following line

$cmd = "curl -g -s -S -T $tmp_push_file $uri/$save_file";

with this one

$cmd = "curl -k -g -s -S -T $tmp_push_file $uri/$save_file";

Adding option -k (insecure) allows the connection to be established even though certificates cannot be verified, as in auto-signed certificates, so remote backup can be done through VyOS CLI without the mentioned error.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

s.lorente updated the task description. (Show Details)
s.lorente updated the task description. (Show Details)Dec 10 2019, 10:54 AM
pasik added a subscriber: pasik.Dec 10 2019, 1:32 PM
cse342 added a subscriber: cse342.Apr 10 2020, 7:55 PM

I did dive a bit deeper in this issue and found another workaround.
It seems to only occur when a sftp or scp host is specified with a different port than the default port.
The command "ssh-keyscan" is provided with the host in form of "hostname:port" which it doesn't resolve to an ssh-rsa key.
ssh-keyscan needs apparently the option "-p PORT" in order to write the host key of the remote sftp/scp server to the known hosts file.
To add a host to the known hosts file I ran the following command:

ssh-keyscan -t ssh-rsa -p SERVERPORT SERVERHOSTNAME > ~/.ssh/known_hosts

After that the remote backups worked flawlessly without editing the system file.
I think in order to fix this issue, the script would need to check if the port is specified in the location-string and then use a different syntax (like above) to write the key of the server to the known_hosts file.

dmbaturin renamed this task from SSH remote key was not OK to Commit archive over SFTP doesn't work with non-standard ports.Thu, Jun 18, 10:06 PM