#1411 closed enhancement (fixed)
sftp server does not accept pubkey auth
| Reported by: | gdt | Owned by: | daira |
|---|---|---|---|
| Priority: | major | Milestone: | 1.10.1 |
| Component: | code-frontend-ftp-sftp | Version: | 1.8.2 |
| Keywords: | sftp usability fuse | Cc: | vladimir@… |
| Launchpad Bug: |
Description (last modified by zooko)
The docs suggest that one can put a public key in the ftp accounts file, but the same docs file says this is not yet implemented. Having to configure and enter a password makes it harder to do a full fuse mount automatically.
This is related to #1353.
Attachments (1)
Change History (25)
comment:1 Changed at 2011-05-25T22:45:18Z by gdt
- Description modified (diff)
comment:2 Changed at 2011-08-24T00:13:18Z by davidsarah
- Milestone changed from undecided to 1.10.0
- Owner set to davidsarah
- Status changed from new to assigned
comment:3 Changed at 2011-08-24T00:21:24Z by warner
Looks like the easy half is done: frontends/auth.py parses the pubkey lines from the account file and stashes them in the right place.
The hard half will involve code from twisted/conch/checkers.py, probably from SSHPublicKeyDatabase._cbRequestAvatarId, specifically this bit:
pubKey = keys.Key.fromString(credentials.blob)
if pubKey.verify(credentials.signature, credentials.sigData):
return credentials.username
plus some code to make sure we're using the right key for the requested username.
comment:4 Changed at 2011-08-24T00:36:32Z by davidsarah
- Keywords easy added
Yes, it does look easy. There's a full example at http://www.devshed.com/c/a/Python/SSH-with-Twisted/2/. (I don't know why that example has the server knowing the client's private key. It doesn't need it; that's the whole point of public key auth! I think you can just omit the sshFactory.privateKeys = ... line.)
comment:5 Changed at 2011-10-25T14:07:10Z by vrusinov
- Cc vladimir@… added
comment:6 Changed at 2012-04-01T03:51:07Z by davidsarah
- Milestone changed from 1.11.0 to 1.10.0
comment:7 Changed at 2012-10-23T17:54:12Z by davidsarah
- Milestone changed from 1.10.0 to 1.11.0
Changed at 2012-12-09T23:48:09Z by pyhedgehog
comment:8 Changed at 2012-12-09T23:51:59Z by pyhedgehog
sftp-auth-key-1411.patch contains diff for src/allmydata/frontends/auth.py and enables to setup several keys each with it's own rootcap.
comment:9 Changed at 2012-12-10T03:32:15Z by davidsarah
- Keywords review-needed added
comment:10 follow-up: ↓ 11 Changed at 2012-12-10T03:33:39Z by davidsarah
- Keywords test-needed added
comment:11 in reply to: ↑ 10 Changed at 2013-06-06T21:12:05Z by zooko
- Description modified (diff)
- Keywords easy review-needed removed
Needs test before further review.
comment:12 Changed at 2014-05-12T18:43:50Z by descention
I am trying to test this and it's not working for me. I have my private/accounts file with the following
<username> ssh-rsa <public key> <uri>
and have setup the .ssh/config on my client to be
Host tahoe HostName localhost User <username> Port 8022 IdentityFile ~/.ssh/tahoe.key PasswordAuthentication no
Every time I use "ssh tahoe" I get a login failure. Without the "PasswordAuthentication? no" I'll be asked to enter a password. Is there something else that I need to configure first?
comment:13 Changed at 2014-05-12T20:36:58Z by descention
Found the issue. Line 61 in auth.py needs to be "credentials.username" not just "username". This is now working on my machine.
allmydata-tahoe: 1.10.0.post91.dev0 [master: 488cfb939f1f06ffbdf0f3cb78f76398aad08fea-dirty] foolscap: 0.6.4 pycryptopp: 0.6.0.1206569328141510525648634803928199668821045408958 zfec: 1.4.5 Twisted: 12.0.0 Nevow: 0.10.0 zope.interface: unknown python: 2.7.3 platform: Linux-debian_7.5-x86_64-64bit pyOpenSSL: 0.13 simplejson: 2.5.2 pycrypto: 2.6 pyasn1: unknown mock: 0.8.0 setuptools: 0.6c16dev4
comment:14 Changed at 2014-05-12T20:54:53Z by daira
- Owner changed from davidsarah to daira
- Status changed from assigned to new
comment:15 Changed at 2014-05-12T20:55:12Z by daira
- Status changed from new to assigned
comment:16 Changed at 2014-05-12T20:55:37Z by daira
- Milestone changed from soon to 1.12.0
comment:17 Changed at 2014-12-02T19:45:30Z by warner
- Component changed from code-frontend to code-frontend-ftp-sftp
comment:18 Changed at 2015-01-04T15:19:29Z by zooko
exarkun posted a pull request: https://github.com/tahoe-lafs/tahoe-lafs/pull/134
comment:19 Changed at 2015-01-06T15:36:41Z by daira
- Keywords review-needed added; test-needed removed
Will review at Nuts and Bolts today.
comment:20 Changed at 2015-01-06T17:55:17Z by daira
comment:21 Changed at 2015-01-06T18:28:00Z by daira
- Milestone changed from 1.12.0 to 1.11.0
- Resolution set to fixed
- Status changed from assigned to closed
Fixed in 5 patches ending with [6c756ba3e9f32804802ce1a0c0835db5483f3ad2/trunk].
comment:22 Changed at 2015-01-06T18:28:14Z by daira
- Keywords review-needed removed
comment:23 Changed at 2015-01-06T19:17:03Z by daira
Documentation added in [0d935e858964b646c4ccbca5b2a1c0be97addf34/trunk].
comment:24 Changed at 2015-01-07T00:32:54Z by daira
Filed #2359 to add integration tests.
<tarcieri>: is the sftp server gonna support pubkey auth any time soon?
<warner>: tarcieri: patches welcome :)
<warner>: to be honest, I forget how large or small a project that one is
<davidsarah>: I suspect that twisted conch does support client pubkey auth, we're just not exposing that
<warner>: yeah, I vaguely remember it being in there, just a bit hard to reach
<davidsarah>: so, convince us this is a really useful thing to add (shouldn't be hard since we hate passwords)