Troubleshooting SFTP Plugin

[rkubes]

I'm working to transition from Google Drive to a locally (on my network, but not on the router) hosted SFTP server for config backups.

I created an ed25519 key pair, and for the "sftp user" on the SFTP server, I added the public key to the "authorized_keys" folder. For the private key, I copy and pasted the key text in the "SSH Private Key" field in OPNsense backup configuration page. I tried with and without the "----BEGIN..." lines, and without and without new lines.

Every time I hit save/test, I get a public key error still. My remote server (SFTP) server is already set up where I can SSH into it from the OPNsense machine, due to a different process that I use to scp certain files over. So, the "root" OPNsense account can "SSH" into User1 on my backup server. However, I cannot SFTP from "root" on OPNsense to SFTP_USER on my backup server (public key error).

One thing I'm not following is where the private key I typed into the configuration page is going. I think the issue is that SFTP isn't even pulling that private key for the keypair I set up for the SFTP server. I looked in /root/.ssh/ and the only key file is an "id_ed25519" which is the private key for the SSH connection I mentioned above.

Do I need to potentially just use that same private key I already set up internally to generate a public key for the SFTP_USER account? Or is there a specific file/path that the "private key" I'm entering into the Backups configuration page should go that I can continue troubleshooting with?

[patient0]

I assume you are familar with what permission ~/.ssh and the authorized_keys file have to have and that sort?

Just to make sure that on the server side everything is ok for that user I'd use the private key to login to the backup server manually.

One thing I'm not following is where the private key I typed into the configuration page is going.

You will find the private key in /conf/backup/sftp

[franco]

Probably the Microsoft line endings issue. We will hotfix this tomorrow.


Cheers,
Franco

[patient0]

Probably the Microsoft line endings issue. We will hotfix this tomorrow.

Ah, good to know! That certainly explains the ^M's that get added at the end of each linfe of the public key.

[rkubes]

Probably the Microsoft line endings issue. We will hotfix this tomorrow.


Cheers,
Franco

This was it. I was surprised since I created the private key on a Linux box, and pasted it on an iPhone, but indeed Windows line endings got added to the saved key.

I manually edited the identity file (I realized the error told me the path to the file) to remove the line endings and I could get in from the command line. However doing the test from the GUI just put the line endings back even though I didn't edit the private key field again.

I'll wait for the hot fix and try again. Thanks.

[franco]

Hotfix was published to the main mirror now, probably takes up to a few hours for it to arrive on the others.

[rkubes]

Hotfix was published to the main mirror now, probably takes up to a few hours for it to arrive on the others.

I installed it and the one issue is it didn't "auto correct" the existing identify file. I commented on the issue in GitHub with a fix that would probably solve that.

In the meantime, I should just have to "Edit" the Private Key to make it slightly different (or just delete the existing identify file) for it to trigger rewriting the identify file. I'm just going to generate a new Private Key anyway.

[franco]

Bumpy start for all the Windows users, but to be fair the feature seems pretty popular already so I think this went rather well...  :)


Cheers,
Franco

[patient0]

Bumpy start for all the Windows users

Mmmh, I created the key and uploaded/pasted it on a Debian machine yesterday and got the same issue. Was it supposed to only affect Windows users?

Anway, it does work now, thank you Franco!

[rkubes]

Bumpy start for all the Windows users

Mmmh, I created the key and uploaded/pasted it on a Debian machine yesterday and got the same issue. Was it supposed to only affect Windows users?

Anway, it does work now, thank you Franco!

I think due to the \r\n line ending it's assumed a Windows issue. But mine was triggered from a cert created on a Debian box and copy and pasted into Chrome running on an iPhone.

Still it's mostly fixed now and there is another commit done that fixes the issue of identity files that are already in a bad state.

Agreed overall a positive outcome and good to see a lot of interest in the feature.

[Nephiria]

Hi everyone,

If you can fix this, please adjust it so that you also use password + keyfile authentication, because on TrueNAS, that's the default.

Just a question for clarification, why is only the public key requested? If I want to save a backup from Opnsense to, for example, my TrueNAS, would I have to enter the public key in the module for authentication, or am I misunderstanding this?

Thanks for the clarification.

[meyergru]

Since OpnSense is the SFTP client in this case, you obviously need the private key and not the public key. Also, the input value is nothing else but the content of the "keyfile" you want.