Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fail to auth with public_keys when using sftp client after adding a user with rest v2 API #723

Closed
ochinchina opened this issue Feb 16, 2022 · 6 comments

Comments

@ochinchina
Copy link

When I try to add a new user with curl, the sftpgo returns status code 201 to indicate the user is created successfully.

curl http://127.0.0.1:8080/api/v2/users [email protected] -H "Content-Type: application/json" -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey
JhdWQiOlsiQVBJIl0sImV4cCI6MTY0NTAwMDUzNSwianRpIjoiYzg2YjU5dGE5djhtdXVzcXNwamciLCJuYmYiOjE2NDQ5OTkzMDUsInBlcm1pc3Npb25zIjpbIioiXSwic3ViIjoiNFNTKzBUUVY1
WXlNMGNCNTF4RDRpT25pRDA0VDUyeGc4b1NXYlJoMW1Nbz0iLCJ1c2VybmFtZSI6ImFkbWluIn0.01s6JMT8u4C8RDCMRzSVPKcEfu8CjFaM5E-sh6jeBOM" -v
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /api/v2/users HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.80.0
> Accept: */*
> Content-Type: json
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiQVBJIl0sImV4cCI6MTY0NTAwMDUzNSwianRpIjoiYzg2YjU5dGE5djhtdXVzcXNwamciLCJuYmYiOjE2NDQ5OTkzMDUsInBlcm1pc3Npb25zIjpbIioiXSwic3ViIjoiNFNTKzBUUVY1WXlNMGNCNTF4RDRpT25pRDA0VDUyeGc4b1NXYlJoMW1Nbz0iLCJ1c2VybmFtZSI6ImFkbWluIn0.01s6JMT8u4C8RDCMRzSVPKcEfu8CjFaM5E-sh6jeBOM
> Content-Length: 1049
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Type: application/json; charset=utf-8
< Date: Wed, 16 Feb 2022 08:17:51 GMT
< Content-Length: 1094
<
{"id":2,"status":1,"username":"test","email":"[email protected]","expiration_date":0,"public_keys":["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmGUScLfcdTxr1SS1uGQsJIg23slVgrNZgeaQEKnrGOt9hC1ZQsScgD4HYdHfHyazDb/ltiVI8KawM6CIT5MbW4cNwuHnLZEuV/MncExDLbABijBn45z68sdCgB/6SgeA/bVkk4BJekiUaGwDBxhr6CP0CeZ4pvjzcgNvKHLlg274P+SxLT25/mz7RIveLcO+zciP4mZ+KFoku6Ref+ROdzknUIJE5o8KHZa35OvCXSn4csH/IMT4kqmP662k2DlIUdKPu3M18Nw515aBKaqJIGq/dsrb/UMJtegLxz3G/JQDI8jMLcBxvJooZk5QylqQbzNw8kG2PJEUYeQX1IsHJHy/IvJBnT4JSKhgERx9XdB8uHeCmY2Vh4loe615GSvxI2etmE3kKKIqOHUzdMbFwyg0cAF2HbTkPMNNuMi5b8mQVpvfIpWQKLasD6oxBZ05njclPbaEbcrPsTT9CNRTwTiYbydRPy+7WQ+H8mxTsK1wXzZv/dFT9dpf5ULunQVE= root@0bcc98baf9b9"],"home_dir":"/tmp/test-sftp","uid":0,"gid":0,"max_sessions":0,"quota_size":0,"quota_files":0,"permissions":{"/":["*"]},"created_at":1644999471432,"updated_at":1644999471432,"filters":{"hooks":{"external_auth_disabled":false,"pre_login_disabled":false,"check_password_disabled":false},"totp_config":{"secret":{}}},"filesystem":{"provider":0,"s3config":{},"gcsconfig":{},"azblobconfig":{},"cryptconfig":{},"sftpconfig":{}}}
* Connection #0 to host 127.0.0.1 left intact

the content of add-user.json is:

{
    "id": 0,
    "status": 1,
    "username": "test",
    "email": "[email protected]",
    "expiration_date": 0,
    "home_dir": "/tmp/test-sftp",
    "uid": 0,
    "gid": 0,
    "quota_size": 0,
    "max_sessions": 0,
    "quota_files": 0,
    "upload_bandwidth": 0,
    "download_bandwidth": 0,
    "additional_info": "",
    "permissions": {
        "/": [
            "*"
        ]
    },
    "filesystem": {
        "provider": 0
    },
    "password": "123",
    "public_keys": [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmGUScLfcdTxr1SS1uGQsJIg23slVgrNZgeaQEKnrGOt9hC1ZQsScgD4HYdHfHyazDb/ltiVI8KawM6CIT5MbW4cNwuHnLZEuV/MncExDLbABijBn45z68sdCgB/6SgeA/bVkk4BJekiUaGwDBxhr6CP0CeZ4pvjzcgNvKHLlg274P+SxLT25/mz7RIveLcO+zciP4mZ+KFoku6Ref+ROdzknUIJE5o8KHZa35OvCXSn4csH/IMT4kqmP662k2DlIUdKPu3M18Nw515aBKaqJIGq/dsrb/UMJtegLxz3G/JQDI8jMLcBxvJooZk5QylqQbzNw8kG2PJEUYeQX1IsHJHy/IvJBnT4JSKhgERx9XdB8uHeCmY2Vh4loe615GSvxI2etmE3kKKIqOHUzdMbFwyg0cAF2HbTkPMNNuMi5b8mQVpvfIpWQKLasD6oxBZ05njclPbaEbcrPsTT9CNRTwTiYbydRPy+7WQ+H8mxTsK1wXzZv/dFT9dpf5ULunQVE= root@0bcc98baf9b9"
    ]
}

I can login to the sftp server with user/password(test/123).But when I try to use private key to login to the sftp server, it prompts me to input the password.

Can you help me to find what's wrong with above json body?

Thanks in advance!

@drakkan
Copy link
Owner

drakkan commented Feb 16, 2022

Hi,

your request looks correct, can you please post the command you use client side for public key authenticatication? Are you sure you are sending the matching private key?

@ochinchina
Copy link
Author

Please let me list the detailed steps, the test is based on drakkan/sftpgo:v2.2.2-alpine docker image

start the server

init provider

# sftpgo initprovider

set environment variable

change the "create_default_admin" field in create_default_admin to true

set both SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD environment variable

export SFTPGO_DEFAULT_ADMIN_USERNAME=admin
export SFTPGO_DEFAULT_ADMIN_PASSWORD=admin

start the sftpgo

sftpgo serve -v

create user with rest API

install packages

Before creating user, I installed necessary packages.

get Bearer TOKEN

get the TOKEN and export the TOKEN to environment variable TOKEN:

curl http://localhost:8080/api/v2/token -u admin:admin -s
export TOKEN=<token from curl result>

create private key and public key for sftp server

ssh-keygen -f /tmp/test_key

create add-user.json file with following content:

{
    "id": 0,
    "status": 1,
    "username": "test",
    "email": "[email protected]",
    "expiration_date": 0,
    "home_dir": "/tmp/test-sftp",
    "uid": 0,
    "gid": 0,
    "quota_size": 0,
    "max_sessions": 0,
    "quota_files": 0,
    "upload_bandwidth": 0,
    "download_bandwidth": 0,
    "additional_info": "",
    "permissions": {
        "/": [
            "*"
        ]
    },
    "filesystem": {
        "provider": 0
    },
    "password": "123",
    "public_keys": [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBP2XkFWl0gh9z8/UFJTiAz3Zg6ybluP6DJo/YIIhKGurgldUpQneUJoVEHbEeQW7JXQtTw8zIlIVlHVJyUSYn4lWqZYHnTLzwSGvsxqnfchuAVd2em40IhchkSiPbsfjJB4eYMs3wpZ2Op93f+AeTGmoMSgym8lcah0jX3eR9hWQwSPVhGK31AHVzhZ9cTEqnOStqOtCeNqIEKqd54h5JNgoZekuNXxyk2C33eaj+XCDvzYINQKwbw5eqkPH2IVSPt8bXMvNB4FL5dmfFe0l3DQyw/angtzVNZ4AptbVjOvAgg3zek34gsZJivqDnJ7pXWr4g2qu7YQ2O0H7T4AKyKIDyXWzvp0FTL2H9NubuEu/cOPWdG3H7iFVbOB+/Sy1LABo5Vgn4Pze0DZGY3DROso0o+yPVyXNirdsdfz3HrjXTP31jHCXn5sVDmp8dedc9OaIGGcZVSP7tk0UVGnw1rF2goRqROlA/8APJNnzO/lh+iQNPOTTmwgj7UE9N+Jk= root@2f4e0e68d9a6"
    ]
}

the public_keys is from /tmp/test_key.pub

send rest API command to sftpgo with curl

curl http://127.0.0.1:8080/api/v2/users [email protected] -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -v
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /api/v2/users HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.80.0
> Accept: */*
> Content-Type: application/json
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiQVBJIl0sImV4cCI6MTY0NTUyNDA0MSwianRpIjoiYzhhYXY2ZGE5djhzZ2U2bnM0dGciLCJuYmYiOjE2NDU1MjI4MTEsInBlcm1pc3Npb25zIjpbIioiXSwic3ViIjoiYmU2aitGZkZWdnVNbFlvUU5IVTg0dFN1azBaODJ3RjBKV2Mvbjc4WnRrQT0iLCJ1c2VybmFtZSI6ImFkbWluIn0.CJ5KF_wrVmnSn_LPLd6rW1vdRP5Sl8wf22ZCygx3yo8
> Content-Length: 1049
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Type: application/json; charset=utf-8
< Date: Tue, 22 Feb 2022 09:43:32 GMT
< Content-Length: 1094
<
{"id":1,"status":1,"username":"test","email":"[email protected]","expiration_date":0,"public_keys":["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBP2XkFWl0gh9z8/UFJTiAz3Zg6ybluP6DJo/YIIhKGurgldUpQneUJoVEHbEeQW7JXQtTw8zIlIVlHVJyUSYn4lWqZYHnTLzwSGvsxqnfchuAVd2em40IhchkSiPbsfjJB4eYMs3wpZ2Op93f+AeTGmoMSgym8lcah0jX3eR9hWQwSPVhGK31AHVzhZ9cTEqnOStqOtCeNqIEKqd54h5JNgoZekuNXxyk2C33eaj+XCDvzYINQKwbw5eqkPH2IVSPt8bXMvNB4FL5dmfFe0l3DQyw/angtzVNZ4AptbVjOvAgg3zek34gsZJivqDnJ7pXWr4g2qu7YQ2O0H7T4AKyKIDyXWzvp0FTL2H9NubuEu/cOPWdG3H7iFVbOB+/Sy1LABo5Vgn4Pze0DZGY3DROso0o+yPVyXNirdsdfz3HrjXTP31jHCXn5sVDmp8dedc9OaIGGcZVSP7tk0UVGnw1rF2goRqROlA/8APJNnzO/lh+iQNPOTTmwgj7UE9N+Jk= root@2f4e0e68d9a6"],"home_dir":"/tmp/test-sftp","uid":0,"gid":0,"max_sessions":0,"quota_size":0,"quota_files":0,"permissions":{"/":["*"]},"created_at":1645523012171,"updated_at":1645523012171,"filters":{"hooks":{"external_auth_disabled":false,"pre_login_disabled":false,"check_password_disabled":false},"totp_config":{"secret":{}}},"filesystem":{"provider":0,"s3config":{},"gcsconfig":{},"azblobconfig":{},"cryptconfig":{},"sftpconfig":{}}}
* Connection #0 to host 127.0.0.1 left intact

connect sftp server with private key

sftp -P 2022 -i /tmp/test_key [email protected]
The authenticity of host '[127.0.0.1]:2022 ([127.0.0.1]:2022)' can't be established.
ED25519 key fingerprint is SHA256:R/yb/YZwkEbZ3DMnviCqVq3gZX4tcXaCkU8RCQo5ZTA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.1]:2022' (ED25519) to the list of known hosts.
[email protected]'s password:

it requires password even if private key is provided.

Can you check if there is any wrong for my steps?

@drakkan
Copy link
Owner

drakkan commented Feb 22, 2022

Hi,

please try:

sftp -P 2022 -i /tmp/test_key -o 'PubkeyAcceptedKeyTypes +ssh-rsa' [email protected]

it this works means that you have a recent sftp cli that try to use server-sig-algs extension (RFC8308). This extension is not yet supported.

You can also generate keys with a different algorithm, for example ssh-keygen -t ed25519 -f /tmp/test_key

@ochinchina
Copy link
Author

@drakkan thanks for your quick and kindly support. I have tried your two methods, they work. Is there a plan to support server-sig-algs extension (RFC8308) in this excellent project?

@drakkan
Copy link
Owner

drakkan commented Feb 23, 2022

This support must be added upstream

golang/go#49269
golang/crypto#197

I hope this will be fixed after Go 1.18 release. If not I'll try the available patch and if it works as expected I'll use it for SFTPGo builds. I'm monitoring the upstream issues and I'll add this support as soon as possible

@drakkan drakkan closed this as completed Feb 23, 2022
@drakkan
Copy link
Owner

drakkan commented Mar 29, 2022

This is now supported, please test the development version, thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants