#1411 closed enhancement (fixed)

sftp server does not accept pubkey auth

Reported by: gdt Owned by: daira
Priority: major Milestone: 1.10.1
Component: code-frontend-ftp-sftp Version: 1.8.2
Keywords: sftp usability fuse Cc: vladimir@…
Launchpad Bug:

Description (last modified by zooko)

The docs suggest that one can put a public key in the ftp accounts file, but the same docs file says this is not yet implemented. Having to configure and enter a password makes it harder to do a full fuse mount automatically.

This is related to #1353.

Attachments (1)

sftp-auth-key-1411.patch (3.8 KB) - added by pyhedgehog at 2012-12-09T23:48:09Z.

Download all attachments as: .zip

Change History (25)

comment:1 Changed at 2011-05-25T22:45:18Z by gdt

  • Description modified (diff)

comment:2 Changed at 2011-08-24T00:13:18Z by davidsarah

  • Milestone changed from undecided to 1.10.0
  • Owner set to davidsarah
  • Status changed from new to assigned

<tarcieri>: is the sftp server gonna support pubkey auth any time soon?

<warner>: tarcieri: patches welcome :)

<warner>: to be honest, I forget how large or small a project that one is

<davidsarah>: I suspect that twisted conch does support client pubkey auth, we're just not exposing that

<warner>: yeah, I vaguely remember it being in there, just a bit hard to reach

<davidsarah>: so, convince us this is a really useful thing to add (shouldn't be hard since we hate passwords)

comment:3 Changed at 2011-08-24T00:21:24Z by warner

Looks like the easy half is done: frontends/auth.py parses the pubkey lines from the account file and stashes them in the right place.

The hard half will involve code from twisted/conch/checkers.py, probably from SSHPublicKeyDatabase._cbRequestAvatarId, specifically this bit:

pubKey = keys.Key.fromString(credentials.blob)
if pubKey.verify(credentials.signature, credentials.sigData):
    return credentials.username

plus some code to make sure we're using the right key for the requested username.

comment:4 Changed at 2011-08-24T00:36:32Z by davidsarah

  • Keywords easy added

Yes, it does look easy. There's a full example at http://www.devshed.com/c/a/Python/SSH-with-Twisted/2/. (I don't know why that example has the server knowing the client's private key. It doesn't need it; that's the whole point of public key auth! I think you can just omit the sshFactory.privateKeys = ... line.)

comment:5 Changed at 2011-10-25T14:07:10Z by vrusinov

  • Cc vladimir@… added

comment:6 Changed at 2012-04-01T03:51:07Z by davidsarah

  • Milestone changed from 1.11.0 to 1.10.0

comment:7 Changed at 2012-10-23T17:54:12Z by davidsarah

  • Milestone changed from 1.10.0 to 1.11.0

Changed at 2012-12-09T23:48:09Z by pyhedgehog

comment:8 Changed at 2012-12-09T23:51:59Z by pyhedgehog

sftp-auth-key-1411.patch​ contains diff for src/allmydata/frontends/auth.py and enables to setup several keys each with it's own rootcap.

comment:9 Changed at 2012-12-10T03:32:15Z by davidsarah

  • Keywords review-needed added

comment:10 follow-up: Changed at 2012-12-10T03:33:39Z by davidsarah

  • Keywords test-needed added

comment:11 in reply to: ↑ 10 Changed at 2013-06-06T21:12:05Z by zooko

  • Description modified (diff)
  • Keywords easy review-needed removed

Needs test before further review.

comment:12 Changed at 2014-05-12T18:43:50Z by descention

I am trying to test this and it's not working for me. I have my private/accounts file with the following

<username> ssh-rsa <public key> <uri>

and have setup the .ssh/config on my client to be

Host tahoe
  HostName localhost
  User <username>
  Port 8022
  IdentityFile ~/.ssh/tahoe.key
  PasswordAuthentication no

Every time I use "ssh tahoe" I get a login failure. Without the "PasswordAuthentication? no" I'll be asked to enter a password. Is there something else that I need to configure first?

Last edited at 2014-05-12T18:56:39Z by descention (previous) (diff)

comment:13 Changed at 2014-05-12T20:36:58Z by descention

Found the issue. Line 61 in auth.py needs to be "credentials.username" not just "username". This is now working on my machine.

allmydata-tahoe: 1.10.0.post91.dev0 [master: 488cfb939f1f06ffbdf0f3cb78f76398aad08fea-dirty]
foolscap: 0.6.4
pycryptopp: 0.6.0.1206569328141510525648634803928199668821045408958
zfec: 1.4.5
Twisted: 12.0.0
Nevow: 0.10.0
zope.interface: unknown
python: 2.7.3
platform: Linux-debian_7.5-x86_64-64bit
pyOpenSSL: 0.13
simplejson: 2.5.2
pycrypto: 2.6
pyasn1: unknown
mock: 0.8.0
setuptools: 0.6c16dev4

comment:14 Changed at 2014-05-12T20:54:53Z by daira

  • Owner changed from davidsarah to daira
  • Status changed from assigned to new

comment:15 Changed at 2014-05-12T20:55:12Z by daira

  • Status changed from new to assigned

comment:16 Changed at 2014-05-12T20:55:37Z by daira

  • Milestone changed from soon to 1.12.0

comment:17 Changed at 2014-12-02T19:45:30Z by warner

  • Component changed from code-frontend to code-frontend-ftp-sftp

comment:19 Changed at 2015-01-06T15:36:41Z by daira

  • Keywords review-needed added; test-needed removed

Will review at Nuts and Bolts today.

comment:21 Changed at 2015-01-06T18:28:00Z by daira

  • Milestone changed from 1.12.0 to 1.11.0
  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed in 5 patches ending with [6c756ba3e9f32804802ce1a0c0835db5483f3ad2/trunk].

comment:22 Changed at 2015-01-06T18:28:14Z by daira

  • Keywords review-needed removed

comment:24 Changed at 2015-01-07T00:32:54Z by daira

Filed #2359 to add integration tests.

Note: See TracTickets for help on using tickets.