FlashFXP Bug Reports - Keyboard-interactive override

uriah · 06-10-2013, 07:41 PM

Some servers use the auth type "Keyboard-interactive" when they're only prompting for the password.

Can you please setup a "Keyboard-interactive" override or another authentication method, which automatically returns the password for keyboard-interactive, instead of prompting.

I have noticed this option becoming more and more prominent on the servers I use and it's extremely annoying having to manually find the password and re-enter it.

*bigstar* · 06-11-2013, 06:39 AM

Hello,

What version/build of FlashFXP are you using?

What is the exact text on the keyboard-interactive prompt?

This text comes from the server and if it matches "password:" then the password is automatically sent without prompting, since you're being prompted then I would suspect that the prompt is something other than "password:"

uriah · 06-11-2013, 06:45 AM

The message was like "<username> password:"

This is for Cleo SFTP or similar, which is used by a giant company.

I am using the latest build as I updated todat (4.3.1 build 1983 - Stable Release).

*bigstar* · 06-11-2013, 07:03 AM

Can you please try this development build and see if it is able to automatically return the password for you

https://oss.azurewebsites.net/testr/dev-bu...4.3.1.1984.zip

Unzip the flashfxp.exe into your FlashFXP program folder.

The original evaluation code looks for the exact prompt of "password:", I've added a second condition to look for "<username>" and "password:" within the prompt, we need to be as specific as possible to handle cases where the prompt is asking for something other than the typical password.

Please let me know if this resolves the problem.

uriah · 06-11-2013, 07:07 AM

I am seriously impressed with the turn around on this problem, and I'll have to get back to you tomorrow when I am back in front of that machine.

Thanks!

Uriah

uriah · 06-11-2013, 06:57 PM

Unfortunately it seems I got that string wrong last night.

Here's the complete text from the transfer window:

Quote:

[09:22:39] [L] Key exchange: diffie-hellman-group1-sha1. Session encryption: aes256-cbc, MAC: hmac-sha1, compression: none.
[09:22:41] [L] Auth Type: Keyboard-interactive
[09:22:41] [L] Keyboard Authentication Requested. Prompt (1) "<username>'s password"
[09:22:47] [L] Authentication failed [Keyboard-interactive]

So the whole string is "<username>'s password". Since that doesn't seem to be a standard response, and the usual password response is:

Quote:

[09:22:39] [L] Key exchange: diffie-hellman-group1-sha1. Session encryption: aes256-cbc, MAC: hmac-sha1, compression: none.
[09:22:47] [L] Auth Type: Password
[09:22:47] [L] Authentication succeeded
[09:22:47] [L] SSH Connection open

Perhaps it would be better to have an option somewhere to override this type of connection?

Thanks.

X3 · 06-12-2013, 05:44 AM

Keyboard interactive login is more than just adding a simple option for this it can support amongst other, the password you speak of.

see http://www.ssh.com/manuals/server-ad...rauth-kbi.html
and https://www.eldos.com/forum/read.php?FID=7&TID=1742 or https://www.eldos.com/documentation/..._authprop.html

So to properly support keyboard-interactive methods it will take a bit more then suggested.

*bigstar* · 06-12-2013, 06:52 AM

Quote:

Originally Posted by uriah

Unfortunately it seems I got that string wrong last night.

Perhaps it would be better to have an option somewhere to override this type of connection?

Please try this
https://oss.azurewebsites.net/testr/dev-bu...4.3.1.1985.zip

As for adding support for custom prompts this could be done although the whole point of keyboard-interactive password prompts is to require the user to manually enter the information, however 90% of the time the keyboard-interactive prompt appears because the ssh server isn't configured correctly, an oversight by the person who set it up.

Most ssh servers allow you to edit the configuration and define the authentication methods (i.e. password, keyboard-interactive, key pair, etc) now they also allow you to set the order in which each authentication method is used, typically the order is based on how secure each method is, so maybe the order is key pair, keyboard-interactive, password. simply changing the order to request the password before keyboard-interactive will bypass the prompts.. there is of course the rare cases where management thinks prompting for the password is more secure, of course in these situations the password is also changing daily and never stored on the client computer.

uriah · 06-12-2013, 07:07 AM

I'll try that tomorrow. It's very annoying to have them force keyboard-interactive, when there's really no need for it.

It's definitely a misconfigured server, we've been having hell trying to get their side to reconfigure it. I'll bring this up with them also.