Opened 11 years ago

Last modified 6 months ago

#3409 closed Bug report

Problem with SFTP PASSWD_CHANGEREQ

Reported by: lessig_fma Owned by:
Priority: normal Component: Other
Keywords: Cc: lessig_fma, Tim Kosse
Component version: Operating system type:
Operating system version:

Description

We have a SSH 2 server which is configured to use expiring passwords.

After a password is expired logon attempts will be answered with a PASSWD_CHANGEREQ. Uponn receiving this the client is supposed to prompt the user for a new password.

In the case of FileZilla 3.0.7 (and 3.0.6) Only an "Authentication failed" error is shown.

This is a problem as it neither helps the user to get to his files nor provides him with a reason why this is the case.

He has no way of knowing whether he entered an incorrect password or whether the password was correct but expired.

PuTTY which your SSH code is based on already addressed this and now supports PASSWD_CHANGEREQ since 0.59 (Jan 2007).

Attachments (1)

interactive.JPG (13.0 KB) - added by lessig_fma 11 years ago.
Password dialog upon change request

Download all attachments as: .zip

Change History (12)

comment:1 Changed 11 years ago by Tim Kosse

Please try the interactive logon type in the site manager. Do password change prompts appear using that logon type?

Changed 11 years ago by lessig_fma

Attachment: interactive.JPG added

Password dialog upon change request

comment:2 Changed 11 years ago by lessig_fma

No, in the log window there is the message "Access denied". A new password prompt opens but there is no indication of a password change. It only asks me to enter the password for the server.

I attached a screenshot of the dialog box.
File Added: interactive.JPG

comment:3 Changed 11 years ago by Tim Kosse

Please attach a complete log with debug level 3.

comment:4 Changed 11 years ago by lessig_fma

Status: Verbinde mit 10.190.144.85:2222...
Trace: Going to execute "C:\Program Files\FileZilla FTP Client\fzsftp.exe"
Antwort: fzSftp started
Trace: CSftpControlSocket::ConnectParseResponse(fzSftp started)
Befehl: open "IMLES@customer01@10.190.144.85" 2222
Trace: Looking up host "10.190.144.85"
Trace: Connecting to 10.190.144.85 port 2222
Trace: Server version: SSH-2.0-WS_FTP-SSH_1.0
Trace: Using SSH protocol version 2
Trace: We claim version: SSH-2.0-PuTTY_Local:_Feb_14_2008_00:09:00
Trace: Using Diffie-Hellman with standard group "group14"
Trace: Doing Diffie-Hellman key exchange with hash SHA-1
Trace: Host key fingerprint is:
Trace: ssh-rsa 1024 00:ba:fd:30:61:a6:8f:66:2d:23:d0:3e:92:91:e3:64
Trace: Initialised AES-256 CBC client->server encryption
Trace: Initialised HMAC-SHA1 client->server MAC algorithm
Trace: Initialised AES-256 CBC server->client encryption
Trace: Initialised HMAC-SHA1 server->client MAC algorithm
Befehl: Pass:
Trace: Sent password
Trace: Access denied
Befehl: Pass:
Trace: Sent password
Trace: Access denied
Trace: CSftpControlSocket::ResetOperation(74)
Trace: CControlSocket::ResetOperation(74)
Fehler: Verbindungsversuch vom Benutzer unterbrochen

comment:5 Changed 11 years ago by Tim Kosse

Strange.

Try this please:
Execute "fzsftp -v" and enter the following three commands:
open "IMLES@customer01@10.190.144.85" 2222
-0-
-1-

Next it should ask you for your password. If everything goes well, the password expired prompts should come next.

comment:6 Changed 11 years ago by lessig_fma

I was just contacted by our server admin. He says it might not be possible at all logging on with FileZilla using passwords that contain certain characters. One of them is "§" which was contained in the password I was using.

I did not notice that this was an issue as these characters have not been a problem with other clients.

Therefore we changed the password but I will have to wait till tomorrow for the password to expire.

I will test again tomorrow to see whether the problem stems from the special characters or from password expiry. I will keep you posted with the results.

Please excuse the confusion.

comment:7 Changed 11 years ago by Tim Kosse

§ is not part of the ASCII character set. As character encoding FileZilla uses UTF-8 as required by the SSH specifications.

comment:8 Changed 11 years ago by lessig_fma

I noticed it is not an ASCII character. I am not saying I am sure that this is File Zillas fault.

As I see it there are two issues:

1) Password expiry did not seem to work.
2) There are characters in Passwords that do not work.

Issue 1) may be a non-issue as I drew wrong conclusions from issue 2). I will see tomorrow if this was the case. You will be promptly notified when I have an answer to that.

Issue 2) is a problem which may or may not be an FileZilla issue. Either FileZilla does not handle certain characters correctly or the WsFTPd has an issue or both are correct but chose to interpret a standard differently. I cannot possibly judge that at this point in time.

For all that I know FileZilla may be fine and WsFTPd may be buggy. I cannot tell right now.

comment:9 Changed 11 years ago by lessig_fma

As promised I did another test. It seems that the problem does not so much lie with FileZilla but to a greater extend with WsFTPd.

I found out the following things (more details below):

1) FileZilla does have an issue in "ask for password" mode
2) It can be used in interactive mode
3) You can use "§" in passwords if you use only FileZilla

In a nutshell, I do think you should polish your "ask for password mode". But FileZilla does support change password requests albeit only in interactive mode.

Details


I repeated my tests using an expired account. Yesterday I verified that it could in fact logon.

First I set FileZilla to ask for a password. That led to the following trace:

Befehl: Pass:
Trace: Sent password
Trace: Server requested password change
Befehl: Pass:
Fehler: Authentication failed.
Trace: CSftpControlSocket::ResetOperation(1094)
Trace: CControlSocket::ResetOperation(1094)
Fehler: Kritischer Fehler
Fehler: Herstellen der Verbindung zum Server fehlgeschlagen

It seems that FileZilla recognizes a password change request (big difference!), but it answers by resending the password which is not an apropriate handling of the situation. The authentication failed.

Then I set the client to use interactive mode as you suggested earlier.

Now I got prompted for a password change. I found the dialog boxes a little small and confusing but as I understand it you use generic boxes displying strings from the server so this may be inevitable.

Anyway there was no real problem in setting a new password:

Befehl: Pass:
Trace: Sent password
Trace: Server requested password change
Befehl: Pass:
Befehl: Pass:
Befehl: Pass:
Trace: Sent new password
Trace: Access granted

To test my theories I had chosen a new password containing a "§" sign. After disconnecting and connecting again this password allowed me access to the server.

So my current suspicion is that the web interface used to set passwords for the users has an issue with non-ascii characters. My experiments currently do not support the thesis that FileZilla is to blame.

Let me sum this up with the suggestion to support password changes in "ask for password" mode and perhaps in "normal" mode, too.

My initial thesis that you do not support password expiry at all has been proven wrong, however. Please excuse the mistake.

Thank you for spending your time helping me clearing things up.

comment:10 Changed 11 years ago by Tim Kosse

Thanks for reporting. This issue has been fixed in the SVN
repository and will be available with the next version.

comment:11 Changed 11 years ago by Tim Kosse

Future version will tell user to use interactive login if server presents multiple prompts.

Note: See TracTickets for help on using tickets.