Can't use auto backup feature with SFTP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Can't use auto backup feature with SFTP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Can't use auto backup feature with SFTP
Can't use auto backup feature with SFTP
2023-11-27 13:59:40 - last edited 2024-02-15 09:47:54
Tags: #SFTP
Hardware Version:
Firmware Version: 5.13.22

I tried to set up the controller to do a backup to a local server. When checked from a local machine, logging in via cygwin to the sftp server works perfectly fine.

In the controller I get a message about it not being able to reach the machine.

 

Logs state: "[https-jsse-nio-8043-exec-6] [] c.t.s.o.b.c.c.a.f(): Fail to connect to SFTP server"

 

Creds are fine, doesn't matter if the user is jailed or not. I've seen a similar post, where ownership was an issue - it's not the case here.

An example when I set up a jailed account:

 

sftp user@192.168.1.123

user@192.168.1.123's password:

Connected to 192.168.1.123.
sftp> put test.x
Uploading test.x to /test.x
dest open "/test.x": Permission denied           <---- perfectly fine, as it's jailed
sftp> cd backup                                              <---- getting to the directory where user has W permissions
sftp> put test.x
Uploading test.x to /backup/test.x
test.x                                                                                                    100%    4     1.0KB/s   00:00
sftp>

 

So no issues whatsoever - I can connect, I can upload, yet controller experiences some issues and isn't really willing to elaborate on what's the problem.
It doesn't even browse the remote directory at all.

  0      
  0      
#1
Options
1 Accepted Solution
Re:Can't use auto backup feature with SFTP-Solution
2024-02-14 21:55:41 - last edited 2024-02-15 09:47:54

I've found out a solution by myself.

 

Since I have a hardened system, some KEXs, CIphers, etc. were excluded.

 

The thing that broke Omada's ability to use/browse SFTP server was cutting out ecdsa-sha2-nistp256 from available HostKeyAlgorithms.

 

Quite a shame, because (currently) the CIS recommends leaving only these 3: rsa-sha2-256, rsa-sha2-512 & ssh-ed25519 and marking p-curve-based HKAs as vulnerable.

 

Even worse, that the error gives no information whatsoever as to what is/could be the root cause.

 

I'd really recommend Omada's developers to update the libraries so they will support more secure/modern HKAs.

Recommended Solution
  0  
  0  
#4
Options
3 Reply
Re:Can't use auto backup feature with SFTP
2023-11-28 03:45:07

Hello @meowing_parrot,

 

How did you set the Server Hostname/IP? Are you sure the port is opening?

Did this issue occur after you upgraded the controller firmware to 5.13.22?

Can you ping through the Server IP from the controller side?

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Can't use auto backup feature with SFTP
2023-11-28 09:51:32

@Hank21 

 

I've used IP (same subnet, no firewall, no nothing in between the AP and server), I've used hostname, no difference.

 

I have just recently bought a set of 670's and installed the latest version of software, hadn't used it before at all, so I've got no clue if it'd work on earlier version.

 

I can ping, I can access shares, I can do basically everything. Controller is installed on a machine that's in the same subnet, directly plugged to the server through a switch. As mentioned earlier, there's no firewall or any network-related blocker that could've caused this :)

  0  
  0  
#3
Options
Re:Can't use auto backup feature with SFTP-Solution
2024-02-14 21:55:41 - last edited 2024-02-15 09:47:54

I've found out a solution by myself.

 

Since I have a hardened system, some KEXs, CIphers, etc. were excluded.

 

The thing that broke Omada's ability to use/browse SFTP server was cutting out ecdsa-sha2-nistp256 from available HostKeyAlgorithms.

 

Quite a shame, because (currently) the CIS recommends leaving only these 3: rsa-sha2-256, rsa-sha2-512 & ssh-ed25519 and marking p-curve-based HKAs as vulnerable.

 

Even worse, that the error gives no information whatsoever as to what is/could be the root cause.

 

I'd really recommend Omada's developers to update the libraries so they will support more secure/modern HKAs.

Recommended Solution
  0  
  0  
#4
Options