search

sshnet / SSH.NET

SSH.NET is a Secure Shell (SSH) library for .NET, optimized for parallelism.
http://sshnet.github.io/SSH.NET/
MIT License
3.94k stars 927 forks source link

Azure Container App - Mounted Private Key - Permission denied (publickey) #1479

Open matt-lethargic opened 2 weeks ago

matt-lethargic commented 2 weeks ago

Here's a very unique use case that's causing me an issue that I hope someone can help with.

I have a .Net 8 application built into a docker image and running in an Azure Container App. For security reasons I've used Azure (Key Vault Secret mapped to a container secret mounted as a file) to mount the private key into the container at /mnt/secrets/privatekey

The container is running linux and the security on the file is by default set to 0644, I cannot change this as it's controlled by Azure

My application works fine locally when trying to connect to our SFTP service, but when deployed in the above configuration I get

Exception: Renci.SshNet.Common.SshAuthenticationException: Permission denied (publickey).

I've got console access to the running container and tried sftp -i /mnt/secret/privatekey username@hostname this gives me the following error:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'privatekey' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "privatekey": bad permissions

So i believe that this may be the problem, but I'd love to be told I'm wrong!

The code I have is:

using var client = new SftpClient(_settings.Host, _settings.Port, _settings.Username, new PrivateKeyFile(_settings.PrivateKeyPath));
client.Connect();
client.UploadFile(fileStream, fullPath);

Any and all thoughts and suggestions welcome

Rob-Hague commented 2 weeks ago

I would not have thought it is related to the permissions of the key file on the client, otherwise you would get an IO error much earlier.

Are you sure that private key is allowed by the server for that user?

Are you able to sudo sftp to bypass the permissions warning and check it has access?

matt-lethargic commented 2 weeks ago

Since posting and stepping away from the computer I've thought of a couple of things to test this out to narrow down the problem. I'll update tomorrow