fail to auth with public_keys when using sftp client after adding a user with rest v2 API

[ochinchina]

When I try to add a new user with curl, the sftpgo returns status code 201 to indicate the user is created successfully.

curl http://127.0.0.1:8080/api/v2/users -d@add-user.json -H "Content-Type: application/json" -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey
JhdWQiOlsiQVBJIl0sImV4cCI6MTY0NTAwMDUzNSwianRpIjoiYzg2YjU5dGE5djhtdXVzcXNwamciLCJuYmYiOjE2NDQ5OTkzMDUsInBlcm1pc3Npb25zIjpbIioiXSwic3ViIjoiNFNTKzBUUVY1
WXlNMGNCNTF4RDRpT25pRDA0VDUyeGc4b1NXYlJoMW1Nbz0iLCJ1c2VybmFtZSI6ImFkbWluIn0.01s6JMT8u4C8RDCMRzSVPKcEfu8CjFaM5E-sh6jeBOM" -v
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /api/v2/users HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.80.0
> Accept: */*
> Content-Type: json
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiQVBJIl0sImV4cCI6MTY0NTAwMDUzNSwianRpIjoiYzg2YjU5dGE5djhtdXVzcXNwamciLCJuYmYiOjE2NDQ5OTkzMDUsInBlcm1pc3Npb25zIjpbIioiXSwic3ViIjoiNFNTKzBUUVY1WXlNMGNCNTF4RDRpT25pRDA0VDUyeGc4b1NXYlJoMW1Nbz0iLCJ1c2VybmFtZSI6ImFkbWluIn0.01s6JMT8u4C8RDCMRzSVPKcEfu8CjFaM5E-sh6jeBOM
> Content-Length: 1049
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Type: application/json; charset=utf-8
< Date: Wed, 16 Feb 2022 08:17:51 GMT
< Content-Length: 1094
<
{"id":2,"status":1,"username":"test","email":"test@example.com","expiration_date":0,"public_keys":["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmGUScLfcdTxr1SS1uGQsJIg23slVgrNZgeaQEKnrGOt9hC1ZQsScgD4HYdHfHyazDb/ltiVI8KawM6CIT5MbW4cNwuHnLZEuV/MncExDLbABijBn45z68sdCgB/6SgeA/bVkk4BJekiUaGwDBxhr6CP0CeZ4pvjzcgNvKHLlg274P+SxLT25/mz7RIveLcO+zciP4mZ+KFoku6Ref+ROdzknUIJE5o8KHZa35OvCXSn4csH/IMT4kqmP662k2DlIUdKPu3M18Nw515aBKaqJIGq/dsrb/UMJtegLxz3G/JQDI8jMLcBxvJooZk5QylqQbzNw8kG2PJEUYeQX1IsHJHy/IvJBnT4JSKhgERx9XdB8uHeCmY2Vh4loe615GSvxI2etmE3kKKIqOHUzdMbFwyg0cAF2HbTkPMNNuMi5b8mQVpvfIpWQKLasD6oxBZ05njclPbaEbcrPsTT9CNRTwTiYbydRPy+7WQ+H8mxTsK1wXzZv/dFT9dpf5ULunQVE= root@0bcc98baf9b9"],"home_dir":"/tmp/test-sftp","uid":0,"gid":0,"max_sessions":0,"quota_size":0,"quota_files":0,"permissions":{"/":["*"]},"created_at":1644999471432,"updated_at":1644999471432,"filters":{"hooks":{"external_auth_disabled":false,"pre_login_disabled":false,"check_password_disabled":false},"totp_config":{"secret":{}}},"filesystem":{"provider":0,"s3config":{},"gcsconfig":{},"azblobconfig":{},"cryptconfig":{},"sftpconfig":{}}}
* Connection #0 to host 127.0.0.1 left intact

the content of add-user.json is:

{
    "id": 0,
    "status": 1,
    "username": "test",
    "email": "test@example.com",
    "expiration_date": 0,
    "home_dir": "/tmp/test-sftp",
    "uid": 0,
    "gid": 0,
    "quota_size": 0,
    "max_sessions": 0,
    "quota_files": 0,
    "upload_bandwidth": 0,
    "download_bandwidth": 0,
    "additional_info": "",
    "permissions": {
        "/": [
            "*"
        ]
    },
    "filesystem": {
        "provider": 0
    },
    "password": "123",
    "public_keys": [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmGUScLfcdTxr1SS1uGQsJIg23slVgrNZgeaQEKnrGOt9hC1ZQsScgD4HYdHfHyazDb/ltiVI8KawM6CIT5MbW4cNwuHnLZEuV/MncExDLbABijBn45z68sdCgB/6SgeA/bVkk4BJekiUaGwDBxhr6CP0CeZ4pvjzcgNvKHLlg274P+SxLT25/mz7RIveLcO+zciP4mZ+KFoku6Ref+ROdzknUIJE5o8KHZa35OvCXSn4csH/IMT4kqmP662k2DlIUdKPu3M18Nw515aBKaqJIGq/dsrb/UMJtegLxz3G/JQDI8jMLcBxvJooZk5QylqQbzNw8kG2PJEUYeQX1IsHJHy/IvJBnT4JSKhgERx9XdB8uHeCmY2Vh4loe615GSvxI2etmE3kKKIqOHUzdMbFwyg0cAF2HbTkPMNNuMi5b8mQVpvfIpWQKLasD6oxBZ05njclPbaEbcrPsTT9CNRTwTiYbydRPy+7WQ+H8mxTsK1wXzZv/dFT9dpf5ULunQVE= root@0bcc98baf9b9"
    ]
}

I can login to the sftp server with user/password(test/123).But when I try to use private key to login to the sftp server, it prompts me to input the password.

Can you help me to find what's wrong with above json body?

Thanks in advance!

[drakkan]

Hi,

your request looks correct, can you please post the command you use client side for public key authenticatication? Are you sure you are sending the matching private key?

[ochinchina]

Please let me list the detailed steps, the test is based on drakkan/sftpgo:v2.2.2-alpine docker image

start the server

init provider

# sftpgo initprovider

set environment variable

change the "create_default_admin" field in create_default_admin to true

set both SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD environment variable

export SFTPGO_DEFAULT_ADMIN_USERNAME=admin
export SFTPGO_DEFAULT_ADMIN_PASSWORD=admin

start the sftpgo

sftpgo serve -v

create user with rest API

install packages

Before creating user, I installed necessary packages.

get Bearer TOKEN

get the TOKEN and export the TOKEN to environment variable TOKEN:

curl http://localhost:8080/api/v2/token -u admin:admin -s
export TOKEN=<token from curl result>

create private key and public key for sftp server

ssh-keygen -f /tmp/test_key

create add-user.json file with following content:

{
    "id": 0,
    "status": 1,
    "username": "test",
    "email": "test@example.com",
    "expiration_date": 0,
    "home_dir": "/tmp/test-sftp",
    "uid": 0,
    "gid": 0,
    "quota_size": 0,
    "max_sessions": 0,
    "quota_files": 0,
    "upload_bandwidth": 0,
    "download_bandwidth": 0,
    "additional_info": "",
    "permissions": {
        "/": [
            "*"
        ]
    },
    "filesystem": {
        "provider": 0
    },
    "password": "123",
    "public_keys": [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBP2XkFWl0gh9z8/UFJTiAz3Zg6ybluP6DJo/YIIhKGurgldUpQneUJoVEHbEeQW7JXQtTw8zIlIVlHVJyUSYn4lWqZYHnTLzwSGvsxqnfchuAVd2em40IhchkSiPbsfjJB4eYMs3wpZ2Op93f+AeTGmoMSgym8lcah0jX3eR9hWQwSPVhGK31AHVzhZ9cTEqnOStqOtCeNqIEKqd54h5JNgoZekuNXxyk2C33eaj+XCDvzYINQKwbw5eqkPH2IVSPt8bXMvNB4FL5dmfFe0l3DQyw/angtzVNZ4AptbVjOvAgg3zek34gsZJivqDnJ7pXWr4g2qu7YQ2O0H7T4AKyKIDyXWzvp0FTL2H9NubuEu/cOPWdG3H7iFVbOB+/Sy1LABo5Vgn4Pze0DZGY3DROso0o+yPVyXNirdsdfz3HrjXTP31jHCXn5sVDmp8dedc9OaIGGcZVSP7tk0UVGnw1rF2goRqROlA/8APJNnzO/lh+iQNPOTTmwgj7UE9N+Jk= root@2f4e0e68d9a6"
    ]
}

the public_keys is from /tmp/test_key.pub

send rest API command to sftpgo with curl

curl http://127.0.0.1:8080/api/v2/users -d@add-user.json -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -v
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST /api/v2/users HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.80.0
> Accept: */*
> Content-Type: application/json
> Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiQVBJIl0sImV4cCI6MTY0NTUyNDA0MSwianRpIjoiYzhhYXY2ZGE5djhzZ2U2bnM0dGciLCJuYmYiOjE2NDU1MjI4MTEsInBlcm1pc3Npb25zIjpbIioiXSwic3ViIjoiYmU2aitGZkZWdnVNbFlvUU5IVTg0dFN1azBaODJ3RjBKV2Mvbjc4WnRrQT0iLCJ1c2VybmFtZSI6ImFkbWluIn0.CJ5KF_wrVmnSn_LPLd6rW1vdRP5Sl8wf22ZCygx3yo8
> Content-Length: 1049
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Content-Type: application/json; charset=utf-8
< Date: Tue, 22 Feb 2022 09:43:32 GMT
< Content-Length: 1094
<
{"id":1,"status":1,"username":"test","email":"test@example.com","expiration_date":0,"public_keys":["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBP2XkFWl0gh9z8/UFJTiAz3Zg6ybluP6DJo/YIIhKGurgldUpQneUJoVEHbEeQW7JXQtTw8zIlIVlHVJyUSYn4lWqZYHnTLzwSGvsxqnfchuAVd2em40IhchkSiPbsfjJB4eYMs3wpZ2Op93f+AeTGmoMSgym8lcah0jX3eR9hWQwSPVhGK31AHVzhZ9cTEqnOStqOtCeNqIEKqd54h5JNgoZekuNXxyk2C33eaj+XCDvzYINQKwbw5eqkPH2IVSPt8bXMvNB4FL5dmfFe0l3DQyw/angtzVNZ4AptbVjOvAgg3zek34gsZJivqDnJ7pXWr4g2qu7YQ2O0H7T4AKyKIDyXWzvp0FTL2H9NubuEu/cOPWdG3H7iFVbOB+/Sy1LABo5Vgn4Pze0DZGY3DROso0o+yPVyXNirdsdfz3HrjXTP31jHCXn5sVDmp8dedc9OaIGGcZVSP7tk0UVGnw1rF2goRqROlA/8APJNnzO/lh+iQNPOTTmwgj7UE9N+Jk= root@2f4e0e68d9a6"],"home_dir":"/tmp/test-sftp","uid":0,"gid":0,"max_sessions":0,"quota_size":0,"quota_files":0,"permissions":{"/":["*"]},"created_at":1645523012171,"updated_at":1645523012171,"filters":{"hooks":{"external_auth_disabled":false,"pre_login_disabled":false,"check_password_disabled":false},"totp_config":{"secret":{}}},"filesystem":{"provider":0,"s3config":{},"gcsconfig":{},"azblobconfig":{},"cryptconfig":{},"sftpconfig":{}}}
* Connection #0 to host 127.0.0.1 left intact

connect sftp server with private key

sftp -P 2022 -i /tmp/test_key test@127.0.0.1
The authenticity of host '[127.0.0.1]:2022 ([127.0.0.1]:2022)' can't be established.
ED25519 key fingerprint is SHA256:R/yb/YZwkEbZ3DMnviCqVq3gZX4tcXaCkU8RCQo5ZTA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.1]:2022' (ED25519) to the list of known hosts.
test@127.0.0.1's password:

it requires password even if private key is provided.

Can you check if there is any wrong for my steps?

[drakkan]

Hi,

please try:

sftp -P 2022 -i /tmp/test_key -o 'PubkeyAcceptedKeyTypes +ssh-rsa' test@127.0.0.1

it this works means that you have a recent sftp cli that try to use server-sig-algs extension (RFC8308). This extension is not yet supported.

You can also generate keys with a different algorithm, for example ssh-keygen -t ed25519 -f /tmp/test_key

[ochinchina]

@drakkan thanks for your quick and kindly support. I have tried your two methods, they work. Is there a plan to support server-sig-algs extension (RFC8308) in this excellent project?

[drakkan]

This support must be added upstream

golang/go#49269
golang/crypto#197

I hope this will be fixed after Go 1.18 release. If not I'll try the available patch and if it works as expected I'll use it for SFTPGo builds. I'm monitoring the upstream issues and I'll add this support as soon as possible

[drakkan]

This is now supported, please test the development version, thanks