sftp server does not accept pubkey auth #1411

New Issue

tahoe-lafs · 2011-05-25T22:44:15Z

gdt commented

2011-05-25 22:44:15 +00:00

The docs suggest that one can put a public key in the ftp accounts file, but the same docs file says this is not yet implemented. Having to configure and enter a password makes it harder to do a full fuse mount automatically.

This is related to #1353.

The docs suggest that one can put a public key in the ftp accounts file, but the same docs file says this is not yet implemented. Having to configure and enter a password makes it harder to do a full fuse mount automatically. This is related to #1353.

tahoe-lafs added the

labels 2011-05-25 22:44:15 +00:00

tahoe-lafs added this to the undecided milestone 2011-05-25 22:44:15 +00:00

davidsarah commented

2011-08-24 00:13:18 +00:00

: is the sftp server gonna support pubkey auth any time soon?

: tarcieri: patches welcome :)

: to be honest, I forget how large or small a project that one is

: I suspect that twisted conch does support client pubkey auth, we're just not exposing that

: yeah, I vaguely remember it being in there, just a bit hard to reach

: so, convince us this is a really useful thing to add (shouldn't be hard since we hate passwords)

<tarcieri>: is the sftp server gonna support pubkey auth any time soon? <warner>: tarcieri: patches welcome :) <warner>: to be honest, I forget how large or small a project that one is <davidsarah>: I suspect that twisted conch does support client pubkey auth, we're just not exposing that <warner>: yeah, I vaguely remember it being in there, just a bit hard to reach <davidsarah>: so, convince us this is a really useful thing to add (shouldn't be hard since we hate passwords)

tahoe-lafs modified the milestone from undecided to 1.10.0

2011-08-24 00:13:18 +00:00

warner commented

2011-08-24 00:21:24 +00:00

Looks like the easy half is done: frontends/auth.py parses the pubkey lines from the account file and stashes them in the right place.

The hard half will involve code from twisted/conch/checkers.py, probably from SSHPublicKeyDatabase._cbRequestAvatarId, specifically this bit:

pubKey = keys.Key.fromString(credentials.blob)
if pubKey.verify(credentials.signature, credentials.sigData):
    return credentials.username

plus some code to make sure we're using the right key for the requested username.

Looks like the easy half is done: `frontends/auth.py` parses the pubkey lines from the account file and stashes them in the right place. The hard half will involve code from `twisted/conch/checkers.py`, probably from `SSHPublicKeyDatabase._cbRequestAvatarId`, specifically this bit: ``` pubKey = keys.Key.fromString(credentials.blob) if pubKey.verify(credentials.signature, credentials.sigData): return credentials.username ``` plus some code to make sure we're using the right key for the requested username.

davidsarah commented

2011-08-24 00:36:32 +00:00

Yes, it does look easy. There's a full example at http://www.devshed.com/c/a/Python/SSH-with-Twisted/2/. (I don't know why that example has the server knowing the client's private key. It doesn't need it; that's the whole point of public key auth! I think you can just omit the sshFactory.privateKeys = ... line.)

Yes, it does look easy. There's a full example at <http://www.devshed.com/c/a/Python/SSH-with-Twisted/2/>. (I don't know why that example has the server knowing the client's private key. It doesn't need it; that's the whole point of public key auth! I think you can just omit the `sshFactory.privateKeys = ...` line.)

tahoe-lafs modified the milestone from 1.11.0 to 1.10.0

2012-04-01 03:51:07 +00:00

tahoe-lafs modified the milestone from 1.10.0 to 1.11.0

2012-10-23 17:54:12 +00:00

pyhedgehog commented

2012-12-09 23:48:09 +00:00

Attachment sftp-auth-key-1411.patch (3859 bytes) added

**Attachment** sftp-auth-key-1411.patch (3859 bytes) added

sftp-auth-key-1411.patch

3.8 KiB

pyhedgehog commented

2012-12-09 23:51:59 +00:00

sftp-auth-key-1411.patch contains diff for src/allmydata/frontends/auth.py and enables to setup several keys each with it's own rootcap.

zooko commented

2013-06-06 21:12:05 +00:00

Needs test before further review.

descention commented

2014-05-12 18:43:50 +00:00

I am trying to test this and it's not working for me. I have my private/accounts file with the following

<username> ssh-rsa <public key> <uri>

and have setup the .ssh/config on my client to be

Host tahoe
  HostName localhost
  User <username>
  Port 8022
  IdentityFile ~/.ssh/tahoe.key
  PasswordAuthentication no

Every time I use "ssh tahoe" I get a login failure. Without the "PasswordAuthentication no" I'll be asked to enter a password. Is there something else that I need to configure first?

I am trying to test this and it's not working for me. I have my private/accounts file with the following ``` <username> ssh-rsa <public key> <uri> ``` and have setup the .ssh/config on my client to be ``` Host tahoe HostName localhost User <username> Port 8022 IdentityFile ~/.ssh/tahoe.key PasswordAuthentication no ``` Every time I use "ssh tahoe" I get a login failure. Without the "PasswordAuthentication no" I'll be asked to enter a password. Is there something else that I need to configure first?

descention commented

2014-05-12 20:36:58 +00:00

Found the issue. Line 61 in auth.py needs to be "credentials.username" not just "username". This is now working on my machine.

allmydata-tahoe: 1.10.0.post91.dev0 [master: 488cfb939f1f06ffbdf0f3cb78f76398aad08fea-dirty]
foolscap: 0.6.4
pycryptopp: 0.6.0.1206569328141510525648634803928199668821045408958
zfec: 1.4.5
Twisted: 12.0.0
Nevow: 0.10.0
zope.interface: unknown
python: 2.7.3
platform: Linux-debian_7.5-x86_64-64bit
pyOpenSSL: 0.13
simplejson: 2.5.2
pycrypto: 2.6
pyasn1: unknown
mock: 0.8.0
setuptools: 0.6c16dev4

Found the issue. Line 61 in auth.py needs to be "credentials.username" not just "username". This is now working on my machine. ``` allmydata-tahoe: 1.10.0.post91.dev0 [master: 488cfb939f1f06ffbdf0f3cb78f76398aad08fea-dirty] foolscap: 0.6.4 pycryptopp: 0.6.0.1206569328141510525648634803928199668821045408958 zfec: 1.4.5 Twisted: 12.0.0 Nevow: 0.10.0 zope.interface: unknown python: 2.7.3 platform: Linux-debian_7.5-x86_64-64bit pyOpenSSL: 0.13 simplejson: 2.5.2 pycrypto: 2.6 pyasn1: unknown mock: 0.8.0 setuptools: 0.6c16dev4 ```

tahoe-lafs modified the milestone from soon to 1.12.0

2014-05-12 20:55:37 +00:00

warner added

code-frontend-ftp-sftp

and removed

code-frontend

labels 2014-12-02 19:45:30 +00:00

zooko commented

2015-01-04 15:19:29 +00:00

exarkun posted a pull request: https://github.com/tahoe-lafs/tahoe-lafs/pull/134

exarkun posted a pull request: <https://github.com/tahoe-lafs/tahoe-lafs/pull/134>

daira commented