SFTP username contains invalid characters

Question

SFTP username contains invalid characters

erentar opened this issue 5 months ago · comments

Describe the bug
using the sftp command which comes with openssh packets on linux distributions, one cannot connect to upload files to a server instance because of the pipe character present in the username

To Reproduce
Steps to reproduce the behavior:

Go to Servers > pick any server > files > SFTP information
Use SFTP information to connect using sftp command sftp -P 5657 asdf@qwerty.com|deadbeef@1.2.3.4.5
See error remote username contains invalid characters.

Desktop (please complete the following information):

OS: any OS that has openssh utilities, linux, in this case WSL
Version
- SSH-2.0-OpenSSH_9.3
- pufferpanel/pufferpanel on docker-compose, i assume that maps to version 2.6.10

Joshua Taylor · Answer 1 · Fri Feb 23 2024 22:32:48 GMT+0800 (China Standard Time)

SFTP does not explicitly ban or have a forced set of characters that can be used. While generally SFTP ends up using local accounts, which has a small subset of rules, this is not an actual requirement that SFTP needs to follow.

SFTP gets around this (and is recommended) by using single quotes around the username.

So, in your command, this is the valid way of doing it:
sftp -P 5657 'asdf@qwerty.com|deadbeef'@127.0.0.1

erentar · Answer 2 · Sun Feb 25 2024 14:29:59 GMT+0800 (China Standard Time)

I had tried that, and it did not work.

Joshua Taylor · Answer 3 · Tue Feb 27 2024 04:34:55 GMT+0800 (China Standard Time)

What version of SFTP do you have for the client?

erentar · Answer 4 · Tue Feb 27 2024 07:30:41 GMT+0800 (China Standard Time)

OpenSSH_9.3p1, OpenSSL 3.1.1 30 May 2023

Joshua Taylor · Answer 5 · Wed Feb 28 2024 01:23:54 GMT+0800 (China Standard Time)

Either openssh changed, or something's odd with my packages.

I used:
OpenSSH_8.2p1 Ubuntu-4ubuntu0.11, OpenSSL 1.1.1f 31 Mar 2020

I tested on my remote machine with this one, it fails:
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022

Sigh......................

Joshua Taylor · Answer 6 · Wed Feb 28 2024 01:25:38 GMT+0800 (China Standard Time)

As a note, I was using WSL as well, which is interesting.

What is the output of cat /etc/lsb-release

Joshua Taylor · Answer 7 · Wed Feb 28 2024 02:06:46 GMT+0800 (China Standard Time)

We've confirmed openssh has in fact made this a breaking change basically.

We are going to end up changing the character. Not my first plan, but looks like one that's going to be needed.

We'll end up probably using #, but this will be a v3 thing. V2 is not going to be getting this change because it's a breaking change.

erentar · Answer 8 · Wed Feb 28 2024 17:39:30 GMT+0800 (China Standard Time)

$ cat /etc/os-release

NAME="Fedora Linux"
VERSION="39 (Container Image)"
ID=fedora
VERSION_ID=39
VERSION_CODENAME=""
PLATFORM_ID="platform:f39"
PRETTY_NAME="Fedora Linux 39 (Container Image)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:39"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=39
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=39
SUPPORT_END=2024-11-12
VARIANT="Container Image"
VARIANT_ID=container

erentar · Answer 9 · Wed Feb 28 2024 17:39:37 GMT+0800 (China Standard Time)

Thank you for your attention

Joshua Taylor · Answer 10 · Tue Mar 26 2024 01:56:56 GMT+0800 (China Standard Time)

This is resolved in v3, but cannot be done on v2 without it being a breaking change.