Open olistubbs opened 1 year ago
Could you provide the output from proftpd -V
? Also, which distro (and version) are you using? I'd like to see if I can reproduce this behavior locally.
Certainly,
It's running on a centos 7 docker container, running on OEL 7. The RPM was also built on a OEL7 box.
Sorry, full proftpd -V output below
While I work on reproducing this locally, a workaround might be to build mod_sftp_ldap
as a static module, rather than as a shared module, to avoid the dynamic loader symbol resolution error.
Hmm. I'm not able to reproduce this behavior locally yet.
In looking at what might be different between my local setup, and yours, I noticed your LDIF uses:
sshPublicKey:: LS0tLSBCRUdJTiBTU0gyIFBVQkxJQyBLRVkgLS0tLQpBQUFBQjNOemFDMXljMkV
......
VBXZ2Jla0ZocXZoenc9PQotLS0tIEVORCBTU0gyIFBVQkxJQyBLRVkgLS0tLQ==
whereas mine uses:
sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by root@01beb187f976 from OpenSSH"
...
IO+z5VnBDG5lMOix0iksf/
---- END SSH2 PUBLIC KEY ----
It looks like your LDIF SSH public key is bsae64-encoded. If you're using the RFC 4716 format, it already is base64-encoded, and doesn't need any additional encoding. Also, I can't quite tell if your LDIF has the single space before each of your base64 lines, to indicate a multiline LDIF attribute. (And is your sshPublicKey::
provided, using that double-colon ::
, a typo? My LDIF only uses single colons between key/value pairs.)
Could I also trouble you for the output of proftpd -vv
? In particular, this should list the versions of the modules being used. I'm wondering if it's possible that the mod_sftp_ldap
version being used isn't what I'm using locally.
Hi, sorry for the delay.
As far as the double colon, afaik in ldap that denotes a base64 encoded entry.
We have proftpd working with ssh keys on another system, however mod_sftp_ldap was patched in after install using pcre and this was built in as an RPM. And the keys are base64 encoded on the working version.
I will however see if I can change the ldap schema on the dev server to not automatically encode those entries.
Cheers!
Hi there,
I've built a proftpd RPM (working in itself) with mod_sftp_ldap (and mod_proxy_protocol but not loaded in this instance) support, but when I try to auth with a user that has the ldapPublicKey objectClass set and the sshPublicKey in multiline RFC4716 format, I get the error in the title.
ldap entry
dn: cn=${USER},dc=example,dc=com accountId: ${USER} uid: ${USER} cn: ${USER} sn: ${USER} objectClass: posixAccount objectClass: ldapPublicKey userPassword:: ... sshPublicKey:: LS0tLSBCRUdJTiBTU0gyIFBVQkxJQyBLRVkgLS0tLQpBQUFBQjNOemFDMXljMkV ...... VBXZ2Jla0ZocXZoenc9PQotLS0tIEVORCBTU0gyIFBVQkxJQyBLRVkgLS0tLQ==Full log entry
2023-05-24 15:51:27,705 233b53bbde79 proftpd[238] 0.0.0.0 (${SERVER}[${IP}]): mod_ldap/2.9.5: LDAPGroups not configured, skipping LDAP-based group memberships 2023-05-24 15:51:27,715 233b53bbde79 proftpd[238] 0.0.0.0 (${SERVER}[${IP]}): mod_delay/0.7: no DelayOnEvent rules configured with "DelayTable none" in effect, disabling module 2023-05-24 15:51:27,716 233b53bbde79 proftpd[238] 0.0.0.0 (${SERVER}[${IP}]): SSH2 session opened. proftpd: (authenticating) - (connecting): IDLE: symbol lookup error: /usr/libexec/proftpd/mod_sftp_ldap.so: undefined symbol: sftp_ldap_keys_parse_rfc4716Full proftpd.conf (sanitised)
# # /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file. # To really apply changes, reload proftpd after modifications, if # it runs in daemon mode. It is not required in inetd/xinetd mode. # # Set off to disable IPv6 support which is annoying on IPv4 only boxes. UseIPv6 off # If set on you can experience a longer connection delay in many cases.Output of `proftpd -nd10`
2023-05-24 16:26:03,942 233b53bbde79 proftpd[280]: using TCP receive buffer size of 87380 bytes 2023-05-24 16:26:03,942 233b53bbde79 proftpd[280]: using TCP send buffer size of 16384 bytes 2023-05-24 16:26:03,943 233b53bbde79 proftpd[280]: testing Unix domain socket using S_ISFIFO 2023-05-24 16:26:03,943 233b53bbde79 proftpd[280]: testing Unix domain socket using S_ISSOCK 2023-05-24 16:26:03,943 233b53bbde79 proftpd[280]: using S_ISSOCK macro for Unix domain socket detection 2023-05-24 16:26:03,944 233b53bbde79 proftpd[280]: using 'ANSI_X3.4-1968' as local charset for UTF-8 conversion 2023-05-24 16:26:03,944 233b53bbde79 proftpd[280]: disabling runtime support for IPv6 connections 2023-05-24 16:26:03,944 233b53bbde79 proftpd[280]:The proftpd.conf is fairly generic, apart from the
<IfModule mod_sftp.c>
section, which works when using just passwords, after addingldap:
toSFTPAuthorizedUserKeys
it no longer works. Themod_sftp
section is currently in use on an older version of proftpd elsewhere in our estate along withmod_sftp_ldap
however that was loaded after proftpd installation using pcre, so we know the config is sound.(Apologies if anything is formatted incorrectly or I've missed any information, just let me know and I'll adjust or provide - cheers!)
Any ideas?
Cheers, Oliver