search

Castaglia / proftpd-mod_sftp_ldap

ProFTPD module which retrieves SSH user/host keys from LDAP
1 stars 1 forks source link

Comments in public keys #4

Closed hovisjovis closed 7 years ago

hovisjovis commented 7 years ago

Hi We're seeing issues when adding a public key to ldap with a comment in like the examples shown here, https://tools.ietf.org/html/rfc4716#section-3.6. When we take the comment out, it accepts the key.

Are comments in the public key in ldap supported by this module?

Thanks Joe

Castaglia commented 7 years ago

How long are your comment lines? And which version of the module are you using? Many key-handling improvements were done as part of addressing Issue #2 .

mattjsmithson commented 7 years ago

Hi.

We're using the latest version from the repository.

We're attempting to use the public key below. The key authenticates without the comment tag but doesn't with it.

Cheers,

Matt

---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted from OpenSSH by msmithson@imsdsv01" AAAAB3NzaC1yc2EAAAABIwAAAQEAvLZgzZTPa+BG0eKc9J7siNWELYYi/vyBGRNPVoJ2Id ilOWhiOg1eByHVpBXAP0Fc+jreZ8gQTAX3eBzHKgr+bdqJi/4IIabMPeIbGOfnghAp3TIO DeNgq3/H5O6j2cwP/xeuS1e1oArTB3hdg3NE4/OV4aCOGoEg5jH6AI6QDJHYQ2+t6DBKau xrdUUWzDzrAaYOzvQf7HwOwvlbOC0nRpWA6W2JY3y/gTPTJG+HW3cH+Oey3Pb++Wkya5xk xkPgDHHEbzUUIGChZ7gqIRQrt1AVIsDMfttMEFTblIZPhPSpS679S++tca9olHP7fxbsZt w42ijCjrf2R3WUckPQHQ== ---- END SSH2 PUBLIC KEY ----

Castaglia commented 7 years ago

Ah, I see the issue:

https://github.com/Castaglia/proftpd-mod_sftp_ldap/blob/master/keys.c#L396

I'll see if I can handle Comment lines better.

mattjsmithson commented 7 years ago

Hi,

We're seeing the same behavior if an x-tag is present. e.g. adding: "x-tag: privateTag" in the header section also breaks authentication. Don't know if it's related or something you are looking to implement.

Cheers,

Matt.

Castaglia commented 7 years ago

This PR should help with the Comment headers; I'm not sure it will handle the x-tag case just yet, though.

Castaglia commented 7 years ago

For the x-tag case, I think that I will need to update my PR such that it can identify the start of the base64-encoded SSH key data, specifically for the case where the entire SSH key is stored as a single line of text in the attribute for the LDAP object.

For RSA/DSA keys, the text prefix to look for is "AAAAB3Nza..."; for ECDSA keys, the text prefix to look for is "AAAAE2VjZ...".

Castaglia commented 7 years ago

I've added tests verifying that the PR handles an x-tag header as well. Merged to master.