Sftp issue after upgrading to 6.34

polarbear · February 3, 2016, 1:59pm

It’s been a while since the last upgrade and I’ve skipped some versions, so forgive me if I missed something in the announcements.

I’ve been using scp to copy over backups from Mikrotik to the host machine on a daily basis. After the upgrade it stopped working with the following error:

exec request failed on channel 0

which after some googling revealed that sftp server might be missing.

Were there any changes in the latest build that might have affected sftp? I’ve got 2 routers with different configs, both give the same error when trying to scp files from them.

polarbear · February 8, 2016, 7:53am

Bump. Anyone?

polarbear · February 9, 2016, 12:18pm

Interestingly using sftp with password works without any problems. Here’s the bit from the verbose output:

debug2: channel 0: request env confirm 0
debug1: Sending command: scp -v -f /backup.bak
debug2: channel 0: request exec confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 2621440 rmax 262144
debug2: channel_input_status_confirm: type 100 id 0
exec request failed on channel 0

leandrofmilani · February 12, 2016, 10:47am

I have that problem too.
I tried to upgrade to 6.34.1 but it doesn’t solved.

steixeira · February 13, 2016, 12:09am

I may have a similar issue. I have backups copied by ftp(not sftp) each week. Today’s ftp job failed for all routers v6.34 and above. Routers below v6.34 still work. My backup utility(Cobian Backup) says:

2016-02-12 15:15 The user “ftp” has initiated a session on “1.2.3.4:21”
2016-02-12 15:15 The remote directory has been changed to “/”
2016-02-12 15:15 Downloading the remote directory “/” to “C:\Users\tempuser\AppData\Local\Temp\Root directory”
ERR 2016-02-12 15:15 Couldn’t get the remote directory list: ‘LIST’: not enough permissions

When I try to ftp with a command line in Windows, I get similar:

C:\Users\tempuser>ftp
ftp> open 1.2.3.4
Connected to 1.2.3.4.
220 Mikrotik FTP server (MikroTik 6.34.1) ready
User (1.2.3.4:(none)): ftp
331 Password required for ftp
Password:
230 User ftp logged in
ftp> get log.0.txt
200 PORT command successful
550 ‘RETR’: not enough permissions
ftp>

Looking at the v6.34 changelog, maybe it’s this?

ssh, ftp - make read, write user group policy aware

But is this a bug or is there a workaround?

Sob · February 13, 2016, 1:54am

You found the answer. If your ftp or ssh user belongs to group with just ftp/ssh policy, it won’t be able to do anything useful. Add read and write as needed and problem solved. Also sensitive seems to be required if you want to access *.backup.

steixeira · February 17, 2016, 6:30pm

Read policy was what was required. I would assume the write policy would be required if I wanted to use ftp put command, but I am only getting backups.

My mistake. I had already set up the group with ftp and sensitive policy. I thought I had enabled all policies for the group the user belongs to during my testing to confirm the permissions issue, but I must have missed something.

So, as of 6.34, read and/or write policy is now also required.

Thanks!

polarbear · February 22, 2016, 9:54am

Amazing! Thanks for the find!

Here’s the full policy needed to get it: ssh,ftp,read,write,sensitive

leandrofmilani · February 23, 2016, 12:19pm

I used an user with full permissions but it didn’t work. Now I upgraded to version 6.34.2 and my problem was solved.