Unable to authenticate user - No public keys found

[raolivei]

After applying the module as-it-is, (just replacing bucket name, dynamodb name) and created a few users in dynamoDB, I see this info in Cloudwatch after trying to SSH to the sftp server using the newly created user:

Unable to authenticate user - No public keys found

Can this be ignored or it is actually looking for the keys and not finding it? I checked API gateway and lambda logs, they seem to be called properly.

[darren-reddick]

Hi, Does your sftp session fail to connect? Are you specifying the password authentication preference in your sftp client? Do the apigateway logs show the json body which is returned?

On Mon, 25 Nov 2019, 19:14 rafael, notifications@github.com wrote:

After applying the module as-it-is, (just replacing bucket name, dynamodb name) and created a few users in dynamoDB, I see this info in Cloudwatch after trying to SSH to the sftp server using the newly created user:

Unable to authenticate user - No public keys found

Can this be ignored or it is actually looking for the keys and not finding it? I checked API gateway and lambda logs, they seem to be called properly.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/devopsgoat/terraform-aws-transfer/issues/1?email_source=notifications&email_token=ANZAAE4ZCSPDS3PHOUZIHQ3QVQPYXA5CNFSM4JRNQB42YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H346XJA, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANZAAEY3YNQKEKYJ6JVDIHTQVQPYXANCNFSM4JRNQB4Q .

[raolivei]

More information below (I am replacing sensitive information with X).

From DynamoDB:

Username = test
HomeDirectoryDetails = [{"Entry": "/", "Target": "/scx-sftp2/${Transfer:UserName}"}]
Password = ac0df36b52!
Role = arn:aws:iam::$$$$$$$$:role/transfer-user-iam-role

From /etc/ssh/sshd_config:

...
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,password
KbdInteractiveAuthentication yes
LoginGraceTime 300
PermitRootLogin yes
StrictModes yes
PermitEmptyPasswords no
X11Forwarding no
UsePAM yes
...

From shell:

$ telnet XXX.sftp.company.com 22
Trying 3.xxx.201.187...
Connected to prod-sftp-lb-xxxxxxxxxxxxxx.elb.us-east-1.amazonaws.com.
Escape character is '^]'.
SSH-2.0-AWS_SFTP_1.0

ssh test@XXX.sftp.company.com
test@test@XXX.sftp.company.com's password: <given>

Connection to XXX.sftp.company.com closed by remote host.
Connection to XXX.sftp.company.com closed.

From Cloudwatch:

20:34:04
START RequestId: 5d964a54-b5ba-4f3c-b995-635229603380 Version: $LATEST
20:34:04
Username: test, ServerId: s-fbfebXXXXX264b8e8
20:34:04
Unable to authenticate user - No public keys found
20:34:04
END RequestId: 5d964a54-b5ba-4f3c-b995-635229603380
20:34:04
REPORT RequestId: 5d964a54-b5ba-4f3c-b995-635229603380 Duration: 276.93 ms Billed Duration: 300 ms Memory Size: 128 MB Max Memory Used: 79 MB
20:34:10
START RequestId: 4fdc76fc-97f4-486d-b6da-e3da94935fce Version: $LATEST
20:34:10
Username: test, ServerId: s-fbfebXXXXXX264b8e8
20:34:10
HomeDirectoryDetails found - Applying setting for virtual folders
20:34:10
Completed Response Data: {"Role": "arn:aws:iam::XXXXXXXXX:role/transfer-user-iam-role", "HomeDirectoryDetails": "[{\"Entry\": \"/\", \"Target\": \"/scx-sftp2/${Transfer:UserName}\"}]", "HomeDirectoryType": "LOGICAL"}
20:34:10
END RequestId: 4fdc76fc-97f4-486d-b6da-e3da94935fce
20:34:10
REPORT RequestId: 4fdc76fc-97f4-486d-b6da-e3da94935fce Duration: 229.74 ms Billed Duration: 300 ms Memory Size: 128 MB Max Memory Used: 79 MB

[raolivei]

I believe that's definitely an SSH configuration issue on my end. I ran SSH with -vvv option (extreme verbose) and this is what I get after entering the password:

https://gist.github.com/raolivei/e4143d9f4d70dcfd0ce5fb30beef5841

I am able to "Test" access to the SFTP by hitting "Test" button on SFTP page and passing username/password. I am able to see the dynamodb payload. If I enter an invalid password, no payload is returned so I assume credentials are working as desired.

As a resolution to this issue, would you be able to share how is your sshd_config file setup and which OS platform (linux, Mac) you were able to connect successfully?

[darren-reddick]

Hi, I use just a standard mac terminal to connect:

sftp -o PreferredAuthentications=password dare@s-aXXXXXXXX.server.transfer.eu-west-2.amazonaws.com

Have you checked the logs for the API Gateway Stage? They should look like this. Issues I had when first setting up the service showed up here. Are logs being created in Cloudwatch Logs under prefix /aws/transfer ?

I just launched the stack from scratch to test and it worked first time using the sftp command above.

[darren-reddick]

There is also a "Test" option hidden away in the AWS Transfer Console which is worth trying...

[raolivei]

I am closing this ticket as it was a misunderstanding of my end. Obviously AWS wouldn't let us SSH to the SFTP server. I should be using the sftp command as you described.

[raolivei]

@devopsgoat this is not related to the issue but I'd like to ask: I am wondering if you had to re-write the python script for Lambda to use DynamoDB instead of Secrets Manager... if so, do you have the python code for secrets manager yet? I'd be more interested in using secrets manager than dynamoDB because the Password is plain text in the table.

[darren-reddick]

Hi, Sorry I should have spotted that you were using the ssh command! :0)

I originally didnt use the Secrets Manager due to the costs but i did plan to plug in other authentication methods. I can have a look at secrets manager soon.

[darren-reddick]

I have updated the code to enable use of AWS Secrets. These updates are in the "secrets" branch currently as havent had time to do the pull into master. I have updated the examples folder with usage for Secrets

[darren-reddick]

Have pulled into master now