Author Topic: mod_sftp_ldap  (Read 1181 times)

Offline cesarpball

  • New user
  • *
  • Posts: 8
    • View Profile
mod_sftp_ldap
« on: July 29, 2016, 01:13:47 pm »
Hi,

I am having problems using this module and the authentication using public keys stored in the LDAP. Basically, I couldn't make it works.

<IfModule mod_sftp.c>
    <VirtualHost 10.0.12.60>
      SFTPEngine on
      SFTPLog /var/log/proftpd/sftp.log

      RequireValidShell off
      CreateHome on 550 dirmode 775 skel /etc/proftpd/skel/sftp
      SFTPOptions IgnoreSFTPSetPerms IgnoreSFTPSetTimes IgnoreSFTPUploadPerms IgnoreSCPUploadPerms

      # Configure the server to listen on the normal SSH2 port, port 22
      Port 24

      # Configure both the RSA and DSA host keys, using the same host key
      # files that OpenSSH uses.
      SFTPHostKey /etc/ssh/ssh_host_rsa_key
      #SFTPHostKey /etc/ssh/ssh_host_dsa_key

      # Configure the file used for comparing authorized public keys of users.
      #SFTPAuthMethods publickey
      #SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u

      # Enable compression
      SFTPCompression delayed

      # Allow the same number of authentication attempts as OpenSSH.
      #
      # It is recommended that you explicitly configure MaxLoginAttempts
      # for your SSH2/SFTP instance to be higher than the normal
      # MaxLoginAttempts value for FTP, as there are more ways to authenticate
      # using SSH2.
      MaxLoginAttempts 6

    <IfModule mod_sftp_ldap.c>
       #Instead of using a file-based key store, we tell mod_sftp to use
       #the LDAP-based key store provided by mod_sftp_ldap
       SFTPAuthorizedUserKeys ldap:
    </IfModule>


      DefaultRoot ~
     <IfModule mod_ldap.c>
        LDAPServer                      ldap://localhost:389/??sub
        LDAPBindDN                      "cn=ldaproot,dc=Prod,dc=COM" "secret"
        LDAPAuthBinds                   on
        LDAPQueryTimeout                15
        LDAPUsers                       "ou=People,dc=DAS,dc=Prod,dc=COM" "(&(uid=%u)(accountStatus=active))"
     </IfModule>

        ExtendedLog /var/log/extended_xfer.log READ,WRITE logproc
    </VirtualHost>
</IfModule>


The user is stored in the LDAP:

# USERTEST
dn: cn=USERTEST,ou=People,dc=DAS,dc=Prod,dc=COM
uidNumber: 50000930
cn: USERTEST
description: USERTEST
objectClass: comData
objectClass: posixAccount
objectClass: ldapPublicKey
uid: USERTEST
gidNumber: 104
homeDirectory: /home/USERTEST
accountPassword: rlHGSrlIsd/BIDic/YuJHw==
accountStatus: active
accountId: USERTEST
userPassword:: e1NTSEF9ZWZKN2h2V05aSlA3eTM0ekh2L0FYdllHN29nV1N3elk=
sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAABAQCv
 ZyxbxEcRHig0LUYwsjIdGdkMOeyVG1Qpv/Y1wZvi7AorcR7jNOwxjewhmWXYPShz6lSLVkAgSobmu
 4o+6FfHxUV4uqOfAF96Wde5DP/3bzWg9Ns+CPjthN2Au+GMb1sCuZicmBR3fQ/HpuYJjiviMrzTsC
 51wuu6eZOKG92S9xgB/XcasQVkhPQydiNgLhUJX5Zw6Bh3wsx861crr5gLYENHa8jzG0Y1XWVOXTH
 KrjLeDW46V45XXw5Oo/EM8TjIfhF+IYF+pHzugCYbvPaRAnsIf1sb40Iwjcmo62gjewRxXoT7B1sQ
 YElj9QFladWCKhRwiU06BC8KRyHIaG9z---- END SSH2 PUBLIC KEY ----


An this is my log:

[USERTEST@imsdldap01 .ssh]$ sftp  -oPort=24  -v 10.0.12.60
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 10.0.12.60 [10.0.12.60] port 24.
debug1: Connection established.
debug1: identity file /home/USERTEST/.ssh/id_rsa type 1
debug1: identity file /home/USERTEST/.ssh/id_rsa-cert type -1
debug1: identity file /home/USERTEST/.ssh/id_dsa type -1
debug1: identity file /home/USERTEST/.ssh/id_dsa-cert type -1
debug1: identity file /home/USERTEST/.ssh/id_ecdsa type -1
debug1: identity file /home/USERTEST/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/USERTEST/.ssh/id_ed25519 type -1
debug1: identity file /home/USERTEST/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version mod_sftp/0.9.8
debug1: no match: mod_sftp/0.9.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: kex: diffie-hellman-group-exchange-sha256 need=16 dh_need=16
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA b2:bd:42:fa:25:84:25:73:66:12:26:f4:8d:20:a1:88
debug1: Host '[10.0.12.60]:24' is known and matches the RSA host key.
debug1: Found key in /home/USERTEST/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/USERTEST/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
Connection closed by 10.0.12.60
Couldn't read packet: Connection reset by peer


ProFTPD:
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: searched under base DN ou=People,dc=DAS,dc=Prod,dc=Prod using filter (&(uid=USERTEST)(accountStatus=active))
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr uid
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr uidNumber
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr gidNumber
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr homeDirectory
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr loginShell
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: no values for attribute loginShell, trying defaults...
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: user USERTEST, uid 50000930, gid 104, homedir /home/USERTEST, shell
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD command 'USERAUTH_REQUEST' to mod_log
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_tls
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_core
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_core
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_delay
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_auth
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: successfully unbound
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: not unbinding to an already unbound connection.
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching POST_CMD command 'USER USERTEST' to mod_delay
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD command 'USER USERTEST' to mod_log
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_tls
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_delay
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: not unbinding to an already unbound connection.
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: not unbinding to an already unbound connection.
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: generated filter ou=People,dc=DAS,dc=Prod,dc=Prod from template ou=People,dc=DAS,dc=Prod,dc=Prod and value USERTEST
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: generated filter (&(uid=USERTEST)(accountStatus=active)) from template (&(uid=%u)(accountStatus=active)) and value USERTEST
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: attempting connection to ldap://localhost:389/??sub
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: set protocol version to 3
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: connected to ldap://localhost:389/??sub
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: successfully bound as cn=ldaproot,dc=Prod,dc=Prod with password secret
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: set dereferencing to 0
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: set query timeout to 15s
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: searched under base DN ou=People,dc=DAS,dc=Prod,dc=Prod using filter (&(uid=USERTEST)(accountStatus=active))
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr uid
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr uidNumber
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr gidNumber
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr homeDirectory
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: fetching value(s) for attr loginShell
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: no values for attribute loginShell, trying defaults...
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): mod_ldap/2.9.0: user USERTEST, uid 50000930, gid 104, homedir /home/USERTEST, shell
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): ProFTPD terminating (signal 11)
localdldap01.dev.local.mgtcore.net proftpd[14021] 10.0.12.60 (10.0.12.60[10.0.12.60]): ProFTPD terminating (signal 11


Any ideas? If instead to use the ldap store key I use the file is perfectly working.
Thanks

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: mod_sftp_ldap
« Reply #1 on: July 29, 2016, 02:44:29 pm »
Which version of proftpd are you using?

Offline cesarpball

  • New user
  • *
  • Posts: 8
    • View Profile
Re: mod_sftp_ldap
« Reply #2 on: July 29, 2016, 03:18:23 pm »
These logs are from version 1.3.4a

I've compiled the 1.3.5b and I still getting errors


Thanks

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: mod_sftp_ldap
« Reply #3 on: July 29, 2016, 04:24:18 pm »
Thanks.  In attempting to see if I could determine the issue by sight-reading the code, I made some changes in GitHub which _might_ help; see:

  master branch:
    https://github.com/proftpd/proftpd/commit/13539117c719dd2ea3cca7913c333160db53934f

  1.3.5 branch:
    https://github.com/proftpd/proftpd/commit/63dae97f8bc123f4ac325c425debb36d918e5d0c

In short, it looked like mod_ldap might be trying to use some pointers, when handling user SSH public keys, that had not been initialized to NULL properly -- and this could lead to segfaults.

I'm not convinced that these are _the_ the root cause of the issue you're seeing, but if you could apply these changes, and see if it fixes (or changes) the behavior, that would be helpful.  Thanks!

Offline cesarpball

  • New user
  • *
  • Posts: 8
    • View Profile
Re: mod_sftp_ldap
« Reply #4 on: August 01, 2016, 10:11:40 am »
Hi castaglia,

Thanks for that. I don't get any SIGNAL 11 now, but, I am trying to use the module and looks that is not querying the LDAP.
I am running the slapd in debug mode and I can't find anything in the logs about any filter or query...

The proftpd server is still asking for the password:


2016-08-01 10:08:35,385 imsdldap01.dev.ims.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): USER USERTEST (Login failed): authentication via 'ssh-rsa' public key failed

2016-08-01 10:08:35,385 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_delay
2016-08-01 10:08:35,385 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_log
2016-08-01 10:08:35,385 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_delay
2016-08-01 10:08:35,385 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_auth
2016-08-01 10:08:35,386 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD command 'USERAUTH_REQUEST USERTEST publickey' to mod_log
2016-08-01 10:08:35,386 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_tls
2016-08-01 10:08:35,386 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_core
2016-08-01 10:08:35,386 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_core
2016-08-01 10:08:35,386 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_delay
2016-08-01 10:08:35,386 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_auth
2016-08-01 10:08:35,387 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching POST_CMD command 'USER USERTEST' to mod_delay
2016-08-01 10:08:35,387 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD command 'USER USERTEST' to mod_log
2016-08-01 10:08:35,387 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD command 'USER USERTEST' to mod_delay
2016-08-01 10:08:35,387 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_tls
2016-08-01 10:08:35,387 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core
2016-08-01 10:08:35,387 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core
2016-08-01 10:08:35,387 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_delay
2016-08-01 10:08:35,387 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
2016-08-01 10:08:35,433 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): retrieved UID 50000930 for user 'USERTEST'
2016-08-01 10:08:35,433 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_delay
2016-08-01 10:08:35,433 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_log
2016-08-01 10:08:35,433 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_delay
2016-08-01 10:08:35,433 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_auth
2016-08-01 10:08:35,433 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD command 'USERAUTH_REQUEST USERTEST publickey' to mod_log
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_tls
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_core
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_core
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_delay
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'USER USERTEST' to mod_auth
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching POST_CMD command 'USER USERTEST' to mod_delay
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD command 'USER USERTEST' to mod_log
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD command 'USER USERTEST' to mod_delay
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_tls
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_core
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_delay
2016-08-01 10:08:35,434 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
2016-08-01 10:08:35,463 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): retrieved UID 50000930 for user 'USERTEST'
2016-08-01 10:08:35,482 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): USER USERTEST (Login failed): authentication via 'ssh-dss' public key failed
2016-08-01 10:08:35,482 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_delay
2016-08-01 10:08:35,482 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_log
2016-08-01 10:08:35,482 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_delay
2016-08-01 10:08:35,482 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_auth
2016-08-01 10:08:35,482 localdldap01.dev.local.mgtcore.net proftpd[7922] 10.0.12.60 (10.0.12.60[10.0.12.60]): dispatching LOG_CMD command 'USERAUTH_REQUEST USERTEST publickey' to mod_log

So I don't know if were are matching with the sshPublicKey attribute in the LDAP. If I change the LDAP method to use the file key, looks working.

Thanks very much for your help

Offline cesarpball

  • New user
  • *
  • Posts: 8
    • View Profile
Re: mod_sftp_ldap
« Reply #5 on: August 01, 2016, 10:45:50 am »
Ok

I can see the queries now. but:


2016-08-01 10:44:11,409 mod_sftp_ldap/0.1[8371]: LDAP search returned 2 keys
2016-08-01 10:44:11,409 mod_sftp_ldap/0.1[8371]: error base64-decoding key data from LDAP directory
2016-08-01 10:44:11,409 mod_sftp_ldap/0.1[8371]: error base64-decoding key data from database
2016-08-01 10:44:11,409 mod_sftp_ldap/0.1[8371]: error obtaining SSH2 public key from LDAP data (key 1)
2016-08-01 10:44:11,409 mod_sftp_ldap/0.1[8371]: error base64-decoding key data from LDAP directory
2016-08-01 10:44:11,409 mod_sftp_ldap/0.1[8371]: error base64-decoding key data from database
2016-08-01 10:44:11,409 mod_sftp_ldap/0.1[8371]: error obtaining SSH2 public key from LDAP data (key 2)

I am still investigating

Offline cesarpball

  • New user
  • *
  • Posts: 8
    • View Profile
Re: mod_sftp_ldap
« Reply #6 on: August 01, 2016, 03:18:34 pm »
Didn't get this working. Don't know in which part of the process is failing, I guess, that is the public key stored on the LDAP, but I am not 100% sure.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: mod_sftp_ldap
« Reply #7 on: August 01, 2016, 05:23:52 pm »
FYI, I've just pushed a major update to the mod_sftp_ldap code in GitHub, updating its key decoding/verifying routines to be more in line with mod_sftp_sql (which is known to work properly).  Thus you might try getting that latest mod_sftp_ldap code, and seeing if it helps/behaves better.

Offline cesarpball

  • New user
  • *
  • Posts: 8
    • View Profile
Re: mod_sftp_ldap
« Reply #8 on: August 02, 2016, 08:18:44 am »
Hi castaglia,

Thanks for all your help here. Unfortunately, this is still not working :-(


2016-08-02 08:18:23,919 mod_sftp_ldap/0.1[28227]: LDAP search returned 2 keys
2016-08-02 08:18:23,920 mod_sftp_ldap/0.1[28227]: error comparing client-sent key with LDAP data (row 1): Invalid argument
2016-08-02 08:18:23,920 mod_sftp_ldap/0.1[28227]: error base64-decoding key data from LDAP directory
2016-08-02 08:18:23,920 mod_sftp_ldap/0.1[28227]: error comparing client-sent key with LDAP data (row 2): Invalid argument
2016-08-02 08:18:23,920 mod_sftp_ldap/0.1[28227]: error base64-decoding key data from LDAP directory


Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: mod_sftp_ldap
« Reply #9 on: August 02, 2016, 04:39:11 pm »
OK.  We're making progress, though. :)

It looks like your RFC 4716-formatted SSH key, stored in the LDAP profile, is stored as a single string, with newlines removed.  Is it possible to store it in the profile as a blob of data which contains those newlines?  I am wondering whether the lack of newline characters in the key data is currently confusing mod_sftp_ldap.  (I will be trying to make mod_sftp_ldap handle this case better; having confirmation from your end that key data containing newlines makes it work would confirm that that is indeed the issue.)

Offline cesarpball

  • New user
  • *
  • Posts: 8
    • View Profile
Re: mod_sftp_ldap
« Reply #10 on: August 03, 2016, 04:01:21 pm »
Hi thanks!

Let me check if I can modify the schema. At the moment, the attribute just accept one line, if not I get a syntax error.

Cheers

Offline cesarpball

  • New user
  • *
  • Posts: 8
    • View Profile
Re: mod_sftp_ldap
« Reply #11 on: August 04, 2016, 03:54:47 pm »
Hi,

Basically, I can't. I can't modify the ldap schema to accept multiple lines on this attribute so my public key just can be in one line. I will try to work out but at the moment I am getting the same error.

REgards

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: mod_sftp_ldap
« Reply #12 on: August 04, 2016, 05:10:32 pm »
OK.  Thanks for trying that!

I'll working on making mod_sftp_ldap handle the format you're using.  There is one caveat that I'll need to document: any Comment (or other) headers in the RFC 4716 formatted key will need to be removed.  Parsing of an RFC 4716 key, as a single line of text, means that the parser wouldn't know when that header value ends, since the newline which would indicate the end-of-value would not be present.  Fortunately, that's not a loss of functionality.

Could you do me a favor, and file an issue for this in the mod_sftp_ldap GitHub project/repo?

  https://github.com/Castaglia/proftpd-mod_sftp_ldap

That way, you'll be notified when I get a pull request ready for this.  Thanks!

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: mod_sftp_ldap
« Reply #13 on: August 06, 2016, 06:07:55 am »
For any readers curious about the progress of this, see:

  https://github.com/Castaglia/proftpd-mod_sftp_ldap/issues/2

 

sighted planning