Author Topic: SFTPOptions InsecureHostKeyPerms (RHEL 7.2)  (Read 751 times)

Offline gerryhickman

  • New user
  • *
  • Posts: 10
    • View Profile
SFTPOptions InsecureHostKeyPerms (RHEL 7.2)
« on: September 16, 2016, 04:03:32 pm »
RHEL 7.2

I built proftpd with mod_sftp and mod_clamav from source tar

ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.6rc2.tar.gz

mod_sftp config block includes
Code: [Select]
SFTPHostKey /etc/ssh/ssh_host_rsa_key
On RHEL 7.2 the permissions on the host key now include group-read with a group assigned that is allowed to read the key.

/usr/local/sbin/proftpd --nodaemon --config /usr/local/etc/proftpds2.conf --configtest
fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 68 of '/usr/local/etc/proftpds2.conf'

I add this to the conf file
Code: [Select]
SFTPOptions InsecureHostKeyPermsconfigtest now succeeds, and the daemon can start
BUT, as soon as a user tries to connect

Code: [Select]
2016-09-15 09:52:33,522 mod_sftp/1.0.0[21931]: '/etc/ssh/ssh_host_rsa_key' is accessible by group or world, which is not allowed
2016-09-15 09:52:33,522 mod_sftp/1.0.0[21931]: error loading hostkey '/etc/ssh/ssh_host_rsa_key', skipping key

It looks like InsecureHostKeyPerms is recognized in some functions, but not in others.

Code: [Select]
mod_sftp/keys.c

function has_req_perms
if (!(sftp_opts & SFTP_OPT_INSECURE_HOSTKEY_PERMS)) <- failing?

for some reason sftp_opts doesn't include InsecureHostKeyPerms?

Regardless of this, it might be good to change the criteria so it will work with RedHat 7.2 without needing InsecureHostKeyPerms?

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: SFTPOptions InsecureHostKeyPerms (RHEL 7.2)
« Reply #1 on: September 16, 2016, 04:14:14 pm »
Could you provide the full proftpd.conf you're using (minus any sensitive passwords)?  That might help to figure out why your SFTPOptions aren't being used as expected.

As for changing the code for CentOS/RHEL 7, see the discussions/comments in the bug report on this:

  http://bugs.proftpd.org/show_bug.cgi?id=4098

Offline gerryhickman

  • New user
  • *
  • Posts: 10
    • View Profile
Re: SFTPOptions InsecureHostKeyPerms (RHEL 7.2)
« Reply #2 on: September 16, 2016, 06:00:55 pm »
I forgot to mention that after commenting out near this line, everything started working, but this isn't an ideal solution
Code: [Select]
if (!(sftp_opts & SFTP_OPT_INSECURE_HOSTKEY_PERMS))The proftpd conf file is shown below.
I did notice some strange things happening with the conf file, for example when I changed the order of the SFTPOptions directives, it would cause proftpd to go into an infinite loop with 100% cpu, or in another case, it said InsecureHostKeyPerms was not a valid option. I also tried the SFTPOptions in the server context and global context, but I usually have it in the Virtual Host context.

Code: [Select]
# proftpd conf file (sftp port 8022)

# server config

#TraceLog       /var/log/proftpd/trace.log
#Trace          DEFAULT:10
SystemLog       /var/log/proftpd/proftpd.log
#DebugLevel     10
TransferLog     /var/log/proftpd/xferlog
LoadModule      mod_clamav.c
LoadModule      mod_sftp.c

ServerName                      "Web server FTP service"
ServerType                      standalone
DefaultServer                   on
Port                            0
#PidFile                         /var/run/proftpd.pid
TimeoutIdle                     900
TimeoutNoTransfer               900
IdentLookups                    off
UseReverseDNS                   off
UseIPv6                         off
MaxInstances                    60
MaxClientsPerUser               20

User                            nobody
Group                           nobody

<Global>

# allow group write
Umask 0002 0002

# To cause every FTP user to be "jailed" (chrooted)
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite          on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

<IfModule mod_clamav.c>
   ClamAV on
   ClamServer localhost
   #ClamServer 127.0.0.1
   ClamPort 3310
</IfModule>

</Global>

<VirtualHost 10.203.65.103>

<IfModule mod_sftp.c>

  ServerName "Web server SFTP service"
  SFTPEngine on
  SFTPLog /var/log/proftpd/sftp.log
  Port 8022

  #<limit LOGIN>
  #AllowUser AND unix,term
  #</Limit>

  # Configure both the RSA and DSA host keys, using the same host key
  # files that OpenSSH uses.
  #SFTPHostKey /etc/ssh/ssh_host_rsa_key
  #SFTPHostKey /etc/ssh/ssh_host_dsa_key
  #SFTPHostKey /usr/local/etc/.sftp/ssh_host_rsa_key
  #SFTPOptions MatchKeySubject InsecureHostKeyPerms

  SFTPOptions InsecureHostKeyPerms
  SFTPHostKey /etc/ssh/ssh_host_rsa_key
  SFTPOptions MatchKeySubject

  # Configure the file used for comparing authorized public keys of users.
  # the key must be in the correct format for proftpds
  # if this is not set, it will request a password
  #SFTPAuthorizedUserKeys file:~/.ssh/sftp_keys
  SFTPAuthorizedUserKeys file:/usr/local/etc/.sftp/sftp_keys

  SFTPCompression delayed
  MaxLoginAttempts 6

</IfModule>

</VirtualHost>



Offline gerryhickman

  • New user
  • *
  • Posts: 10
    • View Profile
Re: SFTPOptions InsecureHostKeyPerms (RHEL 7.2)
« Reply #3 on: April 05, 2017, 12:40:17 pm »
I tested this again with new RC4 build and had the same issue. I found the possible cause of the problem. When mod_sftp creates a new session it checks permissions on the host key and also checks for the SFTP Option called 'InsecureHostKeyPerms', BUT, this happens BEFORE the SFTP Options have been parsed and set, so it basically ignores the option.

Code: [Select]
mod_sftp.h:139:extern unsigned long sftp_opts;
// initialize to zero
mod_sftp.c:62:unsigned long sftp_opts = 0UL;
// start a new session
mod_sftp.c:2005:static int sftp_sess_init(void)
// call to sftp_keys_get_hostkey, BEFORE the SFTP Options have been set??
mod_sftp.c:2134:if (sftp_keys_get_hostkey(sftp_pool, path) < 0)
// tries to use the SFTP Option, but sftp_opts will always be zero
keys.c:823:if (!(sftp_opts & SFTP_OPT_INSECURE_HOSTKEY_PERMS))
// finally, it starts parsing the SFTP Options
mod_sftp.c:2235:c = find_config(main_server->conf, CONF_PARAM, "SFTPOptions", FALSE);
« Last Edit: April 05, 2017, 12:42:29 pm by gerryhickman »

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Re: SFTPOptions InsecureHostKeyPerms (RHEL 7.2)
« Reply #4 on: April 06, 2017, 12:18:14 am »
Doh!  Good catch.  This PR should fix it:

  https://github.com/proftpd/proftpd/pull/468

Offline gerryhickman

  • New user
  • *
  • Posts: 10
    • View Profile
Re: SFTPOptions InsecureHostKeyPerms (RHEL 7.2)
« Reply #5 on: April 06, 2017, 02:20:22 pm »
Thanks for the quick update.
I created a new build using a github snapshot from 06/04/2017 without applying any patches, and the SFTP Option is now working as expected.

Offline gerryhickman

  • New user
  • *
  • Posts: 10
    • View Profile
Re: SFTPOptions InsecureHostKeyPerms (RHEL 7.2)
« Reply #6 on: April 28, 2017, 10:42:38 am »
Tested again with official release of ProFTPD 1.3.6 (stable), also works as expected.

 

sighted planning