Opened at 2011-05-25T22:44:15Z
Last modified at 2015-01-07T00:32:54Z
#1411 closed enhancement
sftp server does not accept pubkey auth — at Version 11
| Reported by: | gdt | Owned by: | davidsarah |
|---|---|---|---|
| Priority: | major | Milestone: | 1.10.1 |
| Component: | code-frontend-ftp-sftp | Version: | 1.8.2 |
| Keywords: | sftp usability fuse | Cc: | vladimir@… |
| Launchpad Bug: |
Description (last modified by zooko)
The docs suggest that one can put a public key in the ftp accounts file, but the same docs file says this is not yet implemented. Having to configure and enter a password makes it harder to do a full fuse mount automatically.
This is related to #1353.
Change History (12)
comment:1 Changed at 2011-05-25T22:45:18Z by gdt
- Description modified (diff)
comment:2 Changed at 2011-08-24T00:13:18Z by davidsarah
- Milestone changed from undecided to 1.10.0
- Owner set to davidsarah
- Status changed from new to assigned
comment:3 Changed at 2011-08-24T00:21:24Z by warner
Looks like the easy half is done: frontends/auth.py parses the pubkey lines from the account file and stashes them in the right place.
The hard half will involve code from twisted/conch/checkers.py, probably from SSHPublicKeyDatabase._cbRequestAvatarId, specifically this bit:
pubKey = keys.Key.fromString(credentials.blob)
if pubKey.verify(credentials.signature, credentials.sigData):
return credentials.username
plus some code to make sure we're using the right key for the requested username.
comment:4 Changed at 2011-08-24T00:36:32Z by davidsarah
- Keywords easy added
Yes, it does look easy. There's a full example at http://www.devshed.com/c/a/Python/SSH-with-Twisted/2/. (I don't know why that example has the server knowing the client's private key. It doesn't need it; that's the whole point of public key auth! I think you can just omit the sshFactory.privateKeys = ... line.)
comment:5 Changed at 2011-10-25T14:07:10Z by vrusinov
- Cc vladimir@… added
comment:6 Changed at 2012-04-01T03:51:07Z by davidsarah
- Milestone changed from 1.11.0 to 1.10.0
comment:7 Changed at 2012-10-23T17:54:12Z by davidsarah
- Milestone changed from 1.10.0 to 1.11.0
Changed at 2012-12-09T23:48:09Z by pyhedgehog
comment:8 Changed at 2012-12-09T23:51:59Z by pyhedgehog
sftp-auth-key-1411.patch contains diff for src/allmydata/frontends/auth.py and enables to setup several keys each with it's own rootcap.
comment:9 Changed at 2012-12-10T03:32:15Z by davidsarah
- Keywords review-needed added
comment:10 follow-up: ↓ 11 Changed at 2012-12-10T03:33:39Z by davidsarah
- Keywords test-needed added
comment:11 in reply to: ↑ 10 Changed at 2013-06-06T21:12:05Z by zooko
- Description modified (diff)
- Keywords easy review-needed removed
Needs test before further review.
<tarcieri>: is the sftp server gonna support pubkey auth any time soon?
<warner>: tarcieri: patches welcome :)
<warner>: to be honest, I forget how large or small a project that one is
<davidsarah>: I suspect that twisted conch does support client pubkey auth, we're just not exposing that
<warner>: yeah, I vaguely remember it being in there, just a bit hard to reach
<davidsarah>: so, convince us this is a really useful thing to add (shouldn't be hard since we hate passwords)