[Bug] Public key authentication not working in version 3

[josefschabasser]

Hi!

I set up emberstack/sftp as an Azure container Instance. I tried to configure public key authentication, but as soon as I set the password to "" or null I can't login anymore.
Here is my configuration:

{
  "Global": {
    "Chroot": {
      "Directory": "%h",
      "StartPath": "sftp"
    },
    "Directories": [
      "sftp"
    ],
    "HostKeys": {
      "Ed25519": "[MY HOST ED25519 PRIVATE KEY]",
      "Rsa": "[MY HOST RSA PRIVATE KEY]"
    }
  },
  "Users": [
    {
      "Username": "myuser",
      "Password": "",
      "PublicKeys": [
        "[MY USER PUBLIC KEY]"
      ]
    }
  ]
}

Log output when using sshfs:

2020-06-19 14:41:05.388 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:05.455 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Connection closed by authenticating user myuser 10.240.255.56 port 46479 [preauth]
2020-06-19 14:41:18.675 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:20.855 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:20.895 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Postponed keyboard-interactive for myuser from 10.240.255.56 port 59492 ssh2 [preauth]
2020-06-19 14:41:23.242 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:23.589 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Failed none for myuser from 10.240.255.56 port 59492 ssh2
2020-06-19 14:41:24.117 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Failed password for myuser from 10.240.255.56 port 59492 ssh2
2020-06-19 14:41:24.126 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - maximum authentication attempts exceeded for myuser from 10.240.255.56 port 59492 ssh2 [preauth]
2020-06-19 14:41:24.126 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Disconnecting authenticating user myuser 10.240.255.56 port 59492: Too many authentication failures [preauth]

When I use Filezilla, more or less the same thing happens.

EDIT: shortened log

[antoinedeschenes]

v2.1.14 will work, permissions of users' home folder on v3 prevent sshd from reading the authorized_keys file using a custom AuthorizedKeysFile instruction should fix those problems

[antoinedeschenes]

@winromulus two possible solutions here, either move authorized_keys out of users' home, or create the home directory with 755 permissions.

[josefschabasser]

me not understanding SFTP chroot permissions

Why is the users home directory owned by root:root?
Simplest fix: chown -R $USER:$GROUP $HOME during creation of folder structure.
chown $USER $HOME (without -R and $GROUP) already solves this issue.

In fact, nearly everything is owned by root:root!

$ kubectl exec sftp-pod -- bash
  # ls -lisah /home
  total 12K
  823876 4.0K drwxr-xr-x 1 root root 4.0K Jun 24 08:12 .
  920766 4.0K drwxr-xr-x 1 root root 4.0K Jun 24 08:12 ..
  920983 4.0K drwx------ 3 root root 4.0K Jun 24 08:12 myuser

  # ls -lisah /home/myuser
  total 12K
  920983 4.0K drwx------ 3 root root 4.0K Jun 24 08:12 .
  823876 4.0K drwxr-xr-x 1 root root 4.0K Jun 24 08:12 ..
  920984 4.0K drwxr-xr-x 3 root root 4.0K Jun 24 08:12 .ssh

  # ls -lisah /home/myuser/.ssh
  total 16K
  920984 4.0K drwxr-xr-x 3 root    root 4.0K Jun 24 08:12 .
  920983 4.0K drwx------ 3 root    root 4.0K Jun 24 08:12 ..
  910298 4.0K -r-------- 1 myuser  root  584 Jun 24 08:12 authorized_keys
  920985 4.0K drwxr-xr-x 2 root    root 4.0K Jun 24 08:12 keys

[winromulus]

@antoinedeschenes @josefschabasser I'm currently investigating this

@antoinedeschenes - Not sure if creating the home directory with 755 will work because of chroot.
I need to have a look over the changes in v3 again to see if any of the user permissions changed

[josefschabasser]

Okay, root:root owning the users home is not the problem.
The problem are the permissions on the users home folder: 0700.
According to the ArchWiki it should be 0755.

Or maybe move the authorized_keys file to /etc/sshd like suggested here.

[antoinedeschenes]

Yes, the sshd auth process runs unprivileged and can't reach the authorized_keys file
It used to be a config option but it's been removed in the OpenSSH version used
https://manpages.debian.org/stretch/openssh-server/sshd_config.5.en.html#UsePrivilegeSeparation

[winromulus]

@antoinedeschenes - I think this is a breaking change after setting the container to run as a non-root user.

[winromulus]

After doing a lot of research I've concluded that the current version of sshd cannot run unprivileged without affecting multiple capabilities, authorized keys being one of them. I'm putting in a new PR to run the container as root again.

[tibarix]

Hello everyone, I am getting the same error even with version 2.1.10

docker-compose.yaml:

version: '2'
services:
  sftp:
    image: "emberstack/sftp:2.1.10"
    ports:
      - "22:22"
    volumes:
      - ./config.json:/app/config/sftp.json:ro

config.json:

{
    "Global": {
        "Chroot": {
            "Directory": "%h",
            "StartPath": "sftp"
        },
        "Directories": ["sftp"],
        "HostKeys": {
            "Ed25519": "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW\nQyNTUxOQAAACABFA3h3NqqTRKsuuEaCcw3s27eqBJz1DqQlYwqVvY8XQAAALCU+JrxlPia\n8QAAAAtzc2gtZWQyNTUxOQAAACABFA3h3NqqTRKsuuEaCcw3s27eqBJz1DqQlYwqVvY8XQ\nAAAEDycMcNSh91iXDNQVEedPfbE7hddnw83x367VavE391MgEUDeHc2qpNEqy64RoJzDez\nbt6oEnPUOpCVjCpW9jxdAAAAK21vaGFtbWVkLmFheWFjaGlATGVuZGljby1NQUMtTW9oYW\n1tZWQubG9jYWwBAg==\n-----END OPENSSH PRIVATE KEY-----\n",
            "Rsa": "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAgEA05X6PgggTCa7vXKnqvRg1CMAK/MDpGOqnExJTUfW7AYxUEW1CNIR\nnJ7aMd/72uQz4ReuNUAfn/W7UQgQRkhenHyg1HdhIqVLtY8bz9PgQec5QSdhJDeXZj0su8\n5krHRlOTyedcaFFAfSkDhw7WJ0viCU2UVW1yzuQKxHgbbili1Jq7dJJ5d2fRMbuk1M/CVl\nlfCev+LA4FWgZbDz6a8ZTV7HnnbEpyVMe8OWR1Fc6xddOaloLnx0K+5Pc9yyRPU9hefWjn\nER+1p/t5vnb7BiGei+hDu4Ul2hJcMNhyD7bXlajeczTDSDFGtg7cTY37M4eEhdeQiteGSb\nEXx6eIoSzzrO3R2jz8PdXk46Kxv6p2MKyIXxNN8IVrE3QNwqtv/J7a/4pImDD+fdAW/DUv\nZ/73o2aBWWpPC6icV34gYYCldZPjs26bFE8OZy8vsjJcI9QC9uDulHZJTAeBjXinhy+Heh\nmSPxxFAVvtkPxVw4ZXl0sF1rdS6O60m0o76JHE6RCrV5fYcg+w0bOEs0I9DG1EpbCYiaPo\nuMRuMnCWiEk3xLtvBl6YeLzIbcnf/iEAA0CesoNsuvYmGkUCOUTfKR2nlM/69LV6g6qZkk\nis/mSErP51Ib2cr6am2J3f2IsVK1Kx/roFAlG3NRsaUgKJsJ95TClobXBgpBX5MKgAU/m+\n8AAAdoAwS9AAMEvQAAAAAHc3NoLXJzYQAAAgEA05X6PgggTCa7vXKnqvRg1CMAK/MDpGOq\nnExJTUfW7AYxUEW1CNIRnJ7aMd/72uQz4ReuNUAfn/W7UQgQRkhenHyg1HdhIqVLtY8bz9\nPgQec5QSdhJDeXZj0su85krHRlOTyedcaFFAfSkDhw7WJ0viCU2UVW1yzuQKxHgbbili1J\nq7dJJ5d2fRMbuk1M/CVllfCev+LA4FWgZbDz6a8ZTV7HnnbEpyVMe8OWR1Fc6xddOaloLn\nx0K+5Pc9yyRPU9hefWjnER+1p/t5vnb7BiGei+hDu4Ul2hJcMNhyD7bXlajeczTDSDFGtg\n7cTY37M4eEhdeQiteGSbEXx6eIoSzzrO3R2jz8PdXk46Kxv6p2MKyIXxNN8IVrE3QNwqtv\n/J7a/4pImDD+fdAW/DUvZ/73o2aBWWpPC6icV34gYYCldZPjs26bFE8OZy8vsjJcI9QC9u\nDulHZJTAeBjXinhy+HehmSPxxFAVvtkPxVw4ZXl0sF1rdS6O60m0o76JHE6RCrV5fYcg+w\n0bOEs0I9DG1EpbCYiaPouMRuMnCWiEk3xLtvBl6YeLzIbcnf/iEAA0CesoNsuvYmGkUCOU\nTfKR2nlM/69LV6g6qZkkis/mSErP51Ib2cr6am2J3f2IsVK1Kx/roFAlG3NRsaUgKJsJ95\nTClobXBgpBX5MKgAU/m+8AAAADAQABAAACACzqMWzpnLGNp1zX8e/AYK2noGmz9Jn47kav\niv/0uBLyXZWEtqFgtoxgzEC6I2Sb/MdTl4+GRTBXoaPZ6lqBElR1wE5Z6SzJmgC4mFbNy1\nUyGF1UVrKxelohslVLwuM48iPsUlb+BVHzNyeWU6KQu+eAUxisN3sF9q2T5LoMcJ0gj/r7\ntXPKG0UBwWkS77y205G4unpRUFBO3PW5Uo3QtbZO4GErJSO2Lz42jrgk9WySUR/kblEv6h\nlJRWR6/PzWcnDyfgFOz1pkI6h+V+rFro2Bcq/vXXlels7FUSHWRok+sZJd+e27V/gFs1XF\n66PRD7O46N7AkNJ1yNU1b2oXJValE3jvn/qdMgb8PRnuFx7R8m6VRKoBBD5T2SJFxvBATS\n+l10t6ggSMkjtMacmwKqutulajX9MmO0t4CTtabqttSiuxqIuhP13bmuJZEU842XHTfmjq\niW6Fz/CrPl/lHNbTiIG0Vdnc9ZHglceRavQUnIx8+zY2CLw1kUd6dpA+G5M6zDe3HsKgPR\nYfjkeSDZPYXH6sl1mD/wKrXlJSzb9oZyHacLyQskFWVA5yeCM3WFZoxGMB+YkilGG7NgxM\nzBvLRkZ1pv3cmKFQh54OiUnZsu/cHF91zEnRQ5ypFrOKIWFDQ1E0OVB0EXt5ZkOrzQskOI\nphzv+xyDIGsWJZcGoBAAABAQD4NT/B7k5ep6WOzyKoCmt7TJUHQhdTCbDFrZJzicTIC4Ot\nrwOXIBJSqp9oKgPt+Zm2/1LMto/ukpyMRTqNrlIWWmDe5Q5G+woQCiz57I08StP9aAbvmz\nTo5CcSwXZTw84Ht9iphDtfML6KoPh4kID8itT48htDie5k7QHgoBdO/a8L6augV9ekSiCg\nJg0Eq/5sfcPbiFEiUAtVQnduV/2MvzeRvmGhvpK1yjgK5e/Qox7Z5L5zNZ8aDItOR5ESVh\nGnLPqClaMcvSAUSsEhqrvHXvrcxiZZwK0THK/YBXaYpTlCC8CGkC155v+peZHyv2yKHVPE\n2ic3rYGObEVcSMjMAAABAQD/EWFNEsP7p7gLgTLOLhUGvV2X3Fl2L6BW7bVRjZqjbgo/lb\nCg6PUg5PxsS5LH6lRLWrQBUP1Dy7Q+yZCExKTD68ssE9XWp3gjKhHzTLt6vByS4UHRUqP9\n60VbQs9ynYKbbPEmi8JHURxblK8fXkKitc5eOkDUj6VnMD0EQSmYX+Gqla2puqV1eqNFKp\nqpAafjg3ylxTiyRDZcyeEp8DY3/2tXEEAI2l2C4+FapfQTeAWSAqo0TkkR8ITEjSDhnWP1\n9G7d/zw0vv7MIvENp9FFcy87FSIiwuCOM/2Mw52mDYZ+W8e2/aEmKGSOGqvsORdbebtZEr\nT0/By9jUhmMdMPAAABAQDUW+tX++FKQjuQhaCB5HoNFG/w0ZhS8cARIiCKAKlnJwpk7Gxw\n9yjJycw3C5XlfM3Q+VwWzY7VJnLVWjLRXxDbT4wpaOfODAsu4d50jyjgvSboEJ7/xS8C6f\nugAlhTxMDIo46Ul6a2MXHxyKoNZ1uF6koxsOzIuCD3UfZWNqyzUyQ26omVcQxyY19adJMD\nKsmpOljA3NwgX+/yi7fm1yhOCnNRJ08UuQ0cA9ZJjGG2WSHq1YtL7HNUKhKg+44sVCOlBO\nr8VG8APpzxDklqXv3PsHQYkVMSbzEAgVeYTsf+Hob0zI/ia0GGr2s3FNnUV3I73dwE0Riv\n2BuMjpGpmikhAAAAK21vaGFtbWVkLmFheWFjaGlATGVuZGljby1NQUMtTW9oYW1tZWQubG\n9jYWwBAgMEBQYH\n-----END OPENSSH PRIVATE KEY-----\n"

        }
    },
    "Users": [
        {
            "Username": "demo",
            "PublicKeys": [
                "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAEUDeHc2qpNEqy64RoJzDezbt6oEnPUOpCVjCpW9jxd test@test",
                "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTlfo+CCBMJru9cqeq9GDUIwAr8wOkY6qcTElNR9bsBjFQRbUI0hGcntox3/va5DPhF641QB+f9btRCBBGSF6cfKDUd2EipUu1jxvP0+BB5zlBJ2EkN5dmPSy7zmSsdGU5PJ51xoUUB9KQOHDtYnS+IJTZRVbXLO5ArEeBtuKWLUmrt0knl3Z9Exu6TUz8JWWV8J6/4sDgVaBlsPPprxlNXseedsSnJUx7w5ZHUVzrF105qWgufHQr7k9z3LJE9T2F59aOcRH7Wn+3m+dvsGIZ6L6EO7hSXaElww2HIPtteVqN5zNMNIMUa2DtxNjfszh4SF15CK14ZJsRfHp4ihLPOs7dHaPPw91eTjorG/qnYwrIhfE03whWsTdA3Cq2/8ntr/ikiYMP590Bb8NS9n/vejZoFZak8LqJxXfiBhgKV1k+OzbpsUTw5nLy+yMlwj1AL24O6UdklMB4GNeKeHL4d6GZI/HEUBW+2Q/FXDhleXSwXWt1Lo7rSbSjvokcTpEKtXl9hyD7DRs4SzQj0MbUSlsJiJo+i4xG4ycJaISTfEu28GXph4vMhtyd/+IQADQJ6yg2y69iYaRQI5RN8pHaeUz/r0tXqDqpmSSKz+ZISs/nUhvZyvpqbYnd/YixUrUrH+ugUCUbc1GxpSAomwn3lMKWhtcGCkFfkwqABT+b7w== test@test"
            ]
        }
    ]
}

Am I missing anything here?

[antoinedeschenes]

@tibarix feature was added in 2.0.12

[antoinedeschenes]

@winromulus aren't we already running as root?

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         129  0.1  0.0   3992  3280 pts/0    Ss   11:14   0:00 bash
root         225  0.0  0.0   7644  2740 pts/0    R+   11:16   0:00  \_ ps auxwfw
root           1  0.1  0.0   2288   692 ?        Ss   11:14   0:00 tini -- dotnet ES.SFTP.Host.dll
root           6  0.8  0.3 22904220 97444 ?      SLl  11:14   0:01 dotnet ES.SFTP.Host.dll
root         127  0.0  0.0  15856  6552 ?        S    11:14   0:00  \_ /usr/sbin/sshd -D -e
root         220  0.3  0.0  17104  8048 ?        Ss   11:16   0:00      \_ sshd: demo [priv]
sshd         221  0.0  0.0  15856  4768 ?        S    11:16   0:00          \_ sshd: demo [net]
root         222  0.0  0.0  17104  3216 ?        S    11:16   0:00          \_ sshd: demo [pam]

The problem seems to be the auth process (PID 221 in this example) not having access to the users' home folder

[winromulus]

@antoinedeschenes I apologise. I did a lot of work that weekend and was under the impression that I modified this project to run as non-root (was thinking of the Reflector project).
I'm currently doing some tests on the permissions.

[winromulus]

@antoinedeschenes @josefschabasser - Fixed the issue by setting home directory permissions to 711.
I do not want to set them to 755 unless there's very good reasons to.
I've tested this and it works with public keys now.
Give it a spin if you can and if the problem persists, reopen the issue please.