SFTP failing with "Unable to fulfill channel request" #1271
Comments
|
The server is openssh-7.4p1-16.el7.x86_64 on CentOS 7. The changelog items since the previous version (7.4p1-13) are: = Friday Nov 24 2017 Jakub Jelen jjelen@redhat.com - 7.4p1-16 + 0.10.3-2 =
= Mon Nov 06 2017 Jakub Jelen jjelen@redhat.com - 7.4p1-15 + 0.10.3-2 =
= Fri Nov 03 2017 Nikos Mavrogiannopoulos nmav@redhat.com - 7.4p1-14 + 0.10.3-2 =
|
|
Are you able to reliably reproduce this? This bit sticks out to me: In Net/SFTP.php there's this: https://github.com/phpseclib/phpseclib/blob/1.0.11/phpseclib/Net/SFTP.php#L465 $packet = pack(
'CNa*N3',
NET_SSH2_MSG_CHANNEL_OPEN,
strlen('session'),
'session',
NET_SFTP_CHANNEL,
$this->window_size,
0x4000
);
if (!$this->_send_binary_packet($packet)) {
return false;
}
$this->channel_status[NET_SFTP_CHANNEL] = NET_SSH2_MSG_CHANNEL_OPEN;
$response = $this->_get_channel_packet(NET_SFTP_CHANNEL, true);
if ($response === false) {
return false;
}
$packet = pack(
'CNNa*CNa*',
NET_SSH2_MSG_CHANNEL_REQUEST,
$this->server_channels[NET_SFTP_CHANNEL],
strlen('subsystem'),
'subsystem',
1,
strlen('sftp'),
'sftp'
);
if (!$this->_send_binary_packet($packet)) {
return false;
}So phpseclib is sending the channel open packet and then it's expecting a response from the server but 15s later it doesn't get one and then phpseclib sends the channel request packet. Later, in SSH2::_get_channel_packet there's this: https://github.com/phpseclib/phpseclib/blob/1.0.11/phpseclib/Net/SSH2.php#L3698 if (!strlen($response)) {
return '';
}I think that line is being hit. If you could maybe add an |
|
Hi Jim,
Yes, most of the time (succeeding happens sometimes, but less often). I've tweaked the line as you suggested, and added an N.B. You say:
There's a fragment with precisely that (which can never be matched) immediately afterwards. |
Would it be possible to give me access to the server?
Could you do
Good catch. That should definitely be removed. I'll try to do it as time permits. Thanks! |
An SFTP login on the SFTP server that manifests the problem? Or something else? (As I say, from the client side, the same happens from any client). |
|
P.S. If so... how to send you these login details? |
Yup.
You can email them to terrafrost@php.net. Thanks! |
|
If I log I've emailed you the login details now. They are tested and working with openssh/sftp - and also manifesting the problem. It's been set up to be identical to our regular login that has the problem. In consequence, there's no shell on this account - it's SFTP only. You cannot write in the default home directory - you need to go into the 'terrafrost' subdirectory. David |
|
I was able to make it work with the latest commit and with this code: include('Net/SFTP.php');
$sftp = new Net_SFTP(...);
$sftp->setTimeout(0);
$sftp->login('user', 'pass');
print_r($sftp->nlist());The issue was this packet: phpseclib sends a NET_SSH2_MSG_CHANNEL_OPEN packet and then, 30 seconds later, the server responds with a NET_SSH2_MSG_GLOBAL_REQUEST packet. The problem is in the fact that the server took 30 seconds to respond. phpseclib, by default, times out after 10s so it assumes it won't be getting a response. Setting the timeout to 0 fixes that but only after this commit that I just made has been applied: The fact that that packet takes 30s to send is weird but I tested it with other SFTP clients and had similar delays. Quoting the logs from FlashFXP: Like with FlashFXP... I tried it just now and got this: I tried connecting with PuTTY, too, but PuTTY doesn't appear to show timestamps in its logs. |
|
Hi, Thank you. Based on what you say, if I did... ```$sftp->setTimeout(35)`` ... then in principle, ought that to work too? Obviously, I want to investigate + fix the server so that it doesn't time out, but given that the code is for distributing to users who may use it on all kinds of setups, I want to be able to work around it for them too. David |
|
Yah - that should work. The only problem I could see is with PHP's max_execution_time and Apache timeout settings. For the former you could do |
|
Thanks. Yes, setting the timeout either of those ways works for me. Upon sticking a |
|
Interesting. Thanks for the update! |
|
I thought I share my experience with this issue. Then I noticed in my /var/log/secure the following line at the end of 25 or 30 seconds after each SSH login attemp. So it seems to be related to this issue. I will just restart systemd-logind (systemctl restart systemd-logind) everytime I experience this issue. |
I have an SFTP server (openssh) to which phpseclib (1.0.11), running as part of a test setup, daily sends a backup mid-morning.
Starting from yesterday, this began failing. Using openssh/sftp from the command line manually still works and does not throw any warnings/errors. The server logs show no clues.
During the night before, the server had received an automatic update to openssh/sshd (as part of the whole batch of updates for CentOS 7.5). So, I suspect this is related. I have restarted sshd and all other services that had old libraries loaded in memory (using the
needs-restartingtool). This has made no difference.The error happens most of the time, but not every time. It has been tried from 3 different clients, and they all show the same behaviour. (The same clients have also been tested manually with a different server (one on Fedora, the other I think Ubuntu), which has worked. So that strengthens the suspicion that the server openssh upgrade is involved).
These are the PHP notices generated when the failure occurs:
This is the contents of the debug log:
The text was updated successfully, but these errors were encountered: