SFTP Support

[deusxanima]

What

A few customers have expressed interest in native tsh SFTP support, similar to what we already to with SCP.

Why

Multiple customers have requested feature to match specific use-cases they have.

Workaround

Current workaround requires running OpenSSH alongiside Teleport and exporting and adding CAs to every single node manually, which can be burdensome and challenging, especially for customers who rotate CAs periodically for security reasons.

gz#3064

gz#4740

[stefansedich]

@AHARIC any idea if this is prioritized at all and if it is something that will be delivered in the near future?

[deusxanima]

@stefansedich - This feature request is not currently scheduled for a release though it is being prioritized internally and is on our internal issue board that we work from to get issues scheduled and resolved.

[anurag-work]

Snippet from openssh 8.8 release notes

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

@AHARIC This might potentially break scp via teleport proxy servers in the future. Not having sftp and scp ,will be a problem.

[deusxanima]

Thanks for bringing this to our attention @anurag-work. Do you guys currently use SFTP, SCP or tsh scp?

[iercan]

We also need this feature to use teleport from jetbrains ideas. I've successfully configured my ssh config to use sftp command with below settings.

ssh config

Host *
  User root
  Port 3022
  IdentityFile ~/.tsh/keys/tele.mydomain.com/ibrahim

After this it was giving below error when I run sftp.

subsystem request failed on channel 0
Connection closed

I also added this alias

alias sftp="sftp -s /usr/lib/openssh/sftp-server"

After this I'm able to use sftp from command line like this

sftp myserver:/tmp/a /tmp/a

Finally I configured my idea. ssh worked successfully but sftp didn't work. I saw below error en teleport agent

2022-01-06T15:09:25Z WARN [NODE] Failed to parse subsystem request: &{subsystem true [0 0 0 4 115 102 116 112] 0xc000375500 <nil>}: unrecognized subsystem: sftp. id:131 local:*****:3022 login:root remote:*****:38970 teleportUser:ibrahim regular/sshserver.go:1512

If I understand correctly, idea are not using the alias I added. If I can make it send a subsystem command like I did for shell command, I guess It will work. But I couldn't figure out how to do it. I'd be appreciated for any help.

[programmerq]

@russjones I looked into this a while back, and one possibility might be to simply use the sftp-server binary from the openssh package. We'd just need some very basic plumbing in the teleport ssh_service to execute the sftp-server command when the sftp subsystem is requested.

Additionally, we might be able to add support for custom subsystems on par with the Subsystem sshd_config configuration directive.

[christian-heusel]

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

The above quoted change is now part of OpenSSH 9.0/9.0p1 (2022-04-08):

OpenSSH 9.0/9.0p1 (2022-04-08)

[...]

Changes since OpenSSH 8.9
=========================

This release is focused on bug fixing.

Potentially-incompatible changes
--------------------------------

This release switches [scp(1)](https://man.openbsd.org/scp.1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.

[...]

In case of incompatibility, the [scp(1)](https://man.openbsd.org/scp.1) client may be instructed to use
the legacy scp/rcp using the -O flag.

As this version is already rolled out in ArchLinux this broke using ansible over teleport for me.
Depending on the speed this change is rolled out in other distributions the feature might require repriorization in #8711. In any case it would be great to test these features a little bit up front or provide a workaround

[Tassatux]

I also had an issue with Teleport+Ansible since I upgraded OpenSSH to 9.0.
This could be fixed by adding in your ansible.cfg

[ssh_connection]
scp_extra_args = -O

It force OpenSSH >=9.0 to use legacy scp module instead of sftp.

But having proper support for sftp in Teleport would be great.

[r0mant]

@capnspacehook Go has a good SFTP library we can use: https://pkg.go.dev/github.com/pkg/sftp.

[klizhentas]

It's in progress, please review the PR #13216

[russjones]

Phase	PR	Date
Phase 1: RFD	#13216	Q2 2022
Phase 1: Add support for sftp subsystem	#13491	Q2 2022
Phase 2: Update scp to use sftp under the hood		Q3 2022

[aliasmee]

It's in progress, please review the PR #13216

We also need this feature to use teleport from jetbrains ideas. I've successfully configured my ssh config to use sftp command with below settings.

ssh config

Host *
  User root
  Port 3022
  IdentityFile ~/.tsh/keys/tele.mydomain.com/ibrahim

After this it was giving below error when I run sftp.

subsystem request failed on channel 0
Connection closed

I also added this alias

alias sftp="sftp -s /usr/lib/openssh/sftp-server"

After this I'm able to use sftp from command line like this

sftp myserver:/tmp/a /tmp/a

Finally I configured my idea. ssh worked successfully but sftp didn't work. I saw below error en teleport agent

2022-01-06T15:09:25Z WARN [NODE] Failed to parse subsystem request: &{subsystem true [0 0 0 4 115 102 116 112] 0xc000375500 <nil>}: unrecognized subsystem: sftp. id:131 local:*****:3022 login:root remote:*****:38970 teleportUser:ibrahim regular/sshserver.go:1512

If I understand correctly, idea are not using the alias I added. If I can make it send a subsystem command like I did for shell command, I guess It will work. But I couldn't figure out how to do it. I'd be appreciated for any help.

I reproduce fine after using the -O parameter. e.g:

scp -O