Bug 502985

Summary: Using SSH's global IdentitiesOnly option breaks sftp
Product: [Applications] dolphin Reporter: Luca Saalfeld <luluklzde>
Component: generalAssignee: Dolphin Bug Assignee <dolphin-bugs-null>
Status: REPORTED ---    
Severity: normal CC: kdedev, kfm-devel, luluklzde
Priority: NOR    
Version First Reported In: 25.04.0   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: dolphin sftp log without libssh logging
dolphin sftp log with libssh logging

Description Luca Saalfeld 2025-04-18 21:29:15 UTC 
SUMMARY
Using "IdentitiesOnly = yes" within '~/.ssh/config' as a global option breaks sftp remote folders / locations.

STEPS TO REPRODUCE
1. Add "IdentitiesOnly = yes" to '~/.ssh/config' as a global option
2. Connect to an existing remote folder or try to create one

OBSERVED RESULT
"Authentication failed" error or "Unable to connect to server. Please check your settings and try again." error,
depending on whether it's an existing connection or a new connection.

EXPECTED RESULT
The remote folder can be added or connected to.

SOFTWARE/OS VERSIONS
Operating System: Arch Linux 
KDE Plasma Version: 6.3.4
KDE Frameworks Version: 6.12.0
Qt Version: 6.9.0
Kernel Version: 6.14.2-2-cachyos (64-bit)
Graphics Platform: Wayland

ADDITIONAL INFORMATION
Regular SSH connection from a terminal work fine.
Comment 1 TraceyC 2025-04-22 20:59:47 UTC 
Thanks for the bug report. I'm not able to reproduce this with Dolphin built from git-master

I'm assuming you used "Add Network Folder - ssh - sftp" in Dolphin to set up the folder access
The correct syntax for that option in the ssh config file is

  IdentitiesOnly yes

Even so, adding IdentitiesOnly = yes to the top of .ssh/config did not prevent me from accessing an sftp folder I set up before adding that.
This connection does have an SSH keypair assocated with it

For your sftp folder, do you use an SSH keypair to connect?
Can you share the ssh command you use to connect  through the terminal? (Without the actual hostname or private information like a password)
Comment 2 Luca Saalfeld 2025-04-22 21:55:34 UTC 
Arch got the 25.04 update and while the error coming from the creation of a new remote folder stayed the same, the error of viewing an already existing one "disappeared". Now "Loading cancelled" is displayed in the center of the panel.

Now, to you questions:
> I'm assuming you used "Add Network Folder - ssh - sftp" in Dolphin to set up the folder access
Yes, exactly.

> For your sftp folder, do you use an SSH keypair to connect?
I only use key pairs. Passwords are forbidden on the server.

> Can you share the ssh command you use to connect through the terminal?
The command is 'ssh fuser', which isn't too helpful, so here's the relevant config for that:

AddKeysToAgent yes
IdentitiesOnly yes
Host fuser
	HostName <IP>
	IdentityFile ~/.ssh/<keyfile>
	User <user>

'/etc/ssh/ssh_config' has literally everything commented out. There are two configs, but they're for libvirt and systemd.
Comment 3 Luca Saalfeld 2025-04-22 22:16:50 UTC 
I actually just realized: I don't have an identity file. There's no id_rsa, id_ed25519 or whatever, just the keys for individual use cases.
Comment 4 TraceyC 2025-04-23 19:11:48 UTC 
Thanks for that information. We'll need some debugging information in order to find out more about what Dolphin's doing and why this is failing.

From
https://community.kde.org/Guidelines_and_HOWTOs/Debugging/Debugging_IOSlaves/Debugging_kio_sftp

Can you get a debug log, as described in "Logging" and copy and paste the output in a comment in this report? Thanks.
Comment 5 Luca Saalfeld 2025-04-23 20:08:58 UTC 
Created attachment 180585 [details]
dolphin sftp log without libssh logging
Comment 6 Luca Saalfeld 2025-04-23 20:09:12 UTC 
Created attachment 180586 [details]
dolphin sftp log with libssh logging
Comment 7 Luca Saalfeld 2025-04-23 20:11:53 UTC 
Here are the logs.
I noticed:

kf.kio.workers.sftp: [ ssh_userauth_agent ] ( 3 )  ssh_userauth_agent: Trying identity Xbox: admin account
kf.kio.workers.sftp: [ ssh_userauth_agent ] ( 3 )  ssh_userauth_agent: Identities only is enabled and identity Xbox: admin account was not listed in config, skipping

That is the key, which is listed under the fuser config entry.
Comment 8 TraceyC 2025-04-23 21:57:29 UTC 
From the logs with libssh logs, this is potentially a misconfiguration in the config file or ssh

I see ssh_config_parse_file reported this as unsupported, but its been supported since ssh 7.2
Unsupported option: AddKeysToAgent, line: 1

I see other errors about unsupported options which have been supported in ssh for years (like ProxyUseFdpass0

- Can you paste the output of this into a comment?

ssh -V

From the logs, the error comes from ssh_userauth_agent which is looking for "Xbox: admin account"
It does not find "Xbox: admin account" in .ssh/config
That string needs to match a key file under ~/.ssh
Comment 9 Luca Saalfeld 2025-04-23 22:18:18 UTC 
ยป ssh -V
OpenSSH_10.0p2, OpenSSL 3.5.0 8 Apr 2025

Note: This is the openssh package from cachyos-core-v3. "ssh -v fuser" doesn't have any of the errors.

> From the logs, the error comes from ssh_userauth_agent which is looking for "Xbox: admin account"
That's the comment of the key.
Comment 10 TraceyC 2025-04-24 15:34:05 UTC 
Thanks for your response. I'll let the more experienced Dolphin maintainers take it from here.