How to tell if phpseclib sftp response is a challenge with a password request when key doesn't match

Question

Recently someone inadvertently changed the keyfile used for my ssh/sftp to a remote server. I deduced this when I tried to ssh to the server from the command line and I got challenged with a password request, which indicated that the key was no longer recognised.

How would I make my php program detect an unexpected password challenge? Currently I have this:

$sftp = new SFTP(self::DOMAIN_NAME);

$Key = new RSA();

$private_rsa_key = file_get_contents('/home/ddfs/.ssh/' . self::KEY_FILE);

$Key->loadKey($private_rsa_key);
$rc = $sftp->login(self::USER, $Key);
$errors =  $sftp->getSFTPErrors();

At the moment I see $rc is set to FALSE and $errors is an empty array.

Answer 1

SSH initiated password change requests

SSH has a mechanism built into it for password resets. My reading of RFC4252 § 8 implies that SSH_MSG_USERAUTH_PASSWD_CHANGEREQ packets should only be sent in response to a "password" SSH_MSG_USERAUTH_REQUEST but who knows how the OpenSSH devs interpreted that section of the RFC.

Since you're doing public key authentication phpseclib would be sending a "publickey" SSH_MSG_USERAUTH_REQUEST so it seems like SSH_MSG_USERAUTH_PASSWD_CHANGEREQ wouldn't be a valid response, but again, who knows.

If the server did respond with a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ packet than you could do $sftp->getErrors() (instead of getSFTPErrors ) and look for one that starts with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ: . Maybe even do $sftp->getLastError() .

getSFTPErrors returns errors with the SFTP layer - not the SSH2 layer. SFTP as a protocol doesn't know about authentication - that's handled entirely by the SSH layer. ie. it's not SFTP errors you'd want to look at but SSH errors.

Reference code: https://github.com/phpseclib/phpseclib/blob/1.0.7/phpseclib/Net/SSH2.php#L2219

Other possible password request mechanisms

It's possible that password request isn't coming from SSH's built-in authentication mechanism. It's possible you're getting a SSH_MSG_USERAUTH_SUCCESS response from the "publickey" SSH_MSG_USERAUTH_REQUEST.

At this point I can see two possibilities:

1. It could be a banner message that you're seeing. You can get those by doing $sftp->getBannerMessage() .

2. It's possible you're only seeing this error when you SSH into the server as opposed to SFTP'ing into it. ie. it's possible you wouldn't see the error unless you did $ssh->exec() or $ssh->write() . At this point the "error" could be communicated to you via stderr or stdout.

To know for sure I'd have to see the SSH logs. The phpseclib logs may or may not be sufficient. I mean you could do $sftp->exec('pwd'); or $sftp->read('[prompt]'); but my guess is that you're not already doing that. If you wanted to go that route you could do define('NET_SSH2_LOGGING', 2); and then echo $sftp->getLog() after you do either $sftp->exec() or $sftp->read() .

The PuTTY logs might be more useful. To get them you can go to PuTTY->Session->Logging, check the "SSH packets" radio button and then connect as usual.

Unfortunately, OpenSSH does not, to the best of my knowledge, log the raw / decrypted SSH2 packets so OpenSSH isn't going to be too useful here.