Author Topic: ProFTPD on RHEL 1.3.3g / Error: authorized_keys' is a RFC4716 formatted key  (Read 224 times)

Offline sophie

  • New user
  • *
  • Posts: 9
    • View Profile
Hi,

I have proftpd-1.3.3g-10.el6.x86_64 installed in a working config. All existing users can connect.

I was asked to create a new user.    With puttygen I created SSH2 rsa and SSH2 dsa keys without passphase to test with.

The public key was places in the users ~/.ssh/authorized_keys file.  Permissions and ownership are all correct ( the same as the other working users. )

However the user cannot connect over SFTP:

$ psftp IQ@193.111.111.111 -i AVIQ_private.ppk
IQ@193.111.111.111's password:

Using username "IQ".
Server refused public-key signature despite accepting key!
Access denied
Fatal: Disconnected: No supported authentication methods available (server sent: publickey)

And the telling error :
/var/log/proftpd/sftp.log:Apr 25 11:14:58 mod_sftp/0.9.7[302]: Make sure that '/home/IQ/.ssh/authorized_keys' is a RFC4716 formatted key


The key is this, but I have obfuscated part for this post.
/home/IQ/.ssh/authorized_keys
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-20170425"
AAAAB3NzaC1xxxMAAAEBAKXxUxQxxxxxCsexxx-LJ5xxxExxG4Sxxxx41qxxxxxq
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xkxXXXXXXXXXXXXXlXXXXXXXctXL4XiXP6XVepCe0kGnXYuXu0XxoXFXAXYXwXTx
fg==
---- END SSH2 PUBLIC KEY ----


Any help would be great. Thanks.
« Last Edit: April 25, 2017, 02:38:46 pm by castaglia »

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5300
    • View Profile
    • http://www.castaglia.org/
How large of an SSH key did you generate?  What was the puttygen command you used?

Offline sophie

  • New user
  • *
  • Posts: 9
    • View Profile
I tried with 2048 RSA SSH2 and 2048 DSA SSH2

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5300
    • View Profile
    • http://www.castaglia.org/
Does your authorized_keys file end in a newline character?  If not, could you add one?

Based on that old version of proftpd, you might encountering an issue where authorized_keys files that did not end in newlines were not properly handled; see:

  https://github.com/proftpd/proftpd/commit/0f1e9c0fe616bba307f55bcf388691cb04e3fb09#diff-2bf19899b9f789a4e75acf324f7a324e

Offline sophie

  • New user
  • *
  • Posts: 9
    • View Profile
Thanks.  I added a new line.

The error message stopped, but the user still cannot log in. After the change it seems the keys no longer are recognised. Removing the newline did not produce the earlier RFC4716.  Bizarre.

Apr 26 08:53:38 lpehtsft001a proftpd[18224]: 111.111.111.111 (::ffff:85.91.162.1[::ffff:85.91.162.1]) - USER IQ (Login failed): Incorrect password


Offline sophie

  • New user
  • *
  • Posts: 9
    • View Profile
recreated the keys several times over and always with out a passphrase.  publickey is never accepted and always falls back on password which we won't use.

I cannot see anything useful in the log files:
/var/log/proftpd/sftp.log:Apr 26 08:50:46 mod_sftp/0.9.7[28600]: password authentication for user 'IQ' failed: Incorrect password

Apr 26 08:53:38 lpsftp01  proftpd[18224]: 111.111.111.111 (::ffff:85.91.162.1[::ffff:85.91.162.1]) - USER IQ (Login failed): Incorrect password
Apr 26 09:05:08 lpsftp01 proftpd[21128]: 111.111.111.111 (::ffff:85.91.162.1[::ffff:85.91.162.1]) - IQ chdir("/"): Permission denied


I am a little lost.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5300
    • View Profile
    • http://www.castaglia.org/
I would first recommend trying to upgrade ProFTPD to a newer version, if you can.  Failing that, you might be able to get more information using trace logging; see:

  http://www.proftpd.org/docs/howto/Tracing.html

For mod_sftp, this would look like:

  TraceLog /path/to/your/trace.log
  Trace ssh2:20 sftp:20

in your proftpd.conf.  Restart proftpd to pick up the configuration change, re-login with your failing key, then see what the TraceLog shows.

Offline sophie

  • New user
  • *
  • Posts: 9
    • View Profile
Apr 27 09:55:42 [22423] <ssh2:10>: auth requested for user 'IQ', service 'ssh-connection', using method 'none'
Apr 27 09:55:42 [22423] <ssh2:10>: auth requested for user 'IQ', service 'ssh-connection', using method 'publickey'
Apr 27 09:55:42 [22423] <ssh2:2>: using SFTPAuthorizedUserKeys '/home/IQ/.ssh/authorized_keys' for public key authentication for user 'IQ'
Apr 27 09:55:42 [22423] <ssh2:10>: found matching public key for user 'IQ' in '/home/IQ/.ssh/authorized_keys'
Apr 27 09:55:42 [22423] <ssh2:8>: verified public key for user 'IQ'
Apr 27 09:55:43 [22423] <ssh2:10>: auth requested for user 'IQ', service 'ssh-connection', using method 'password'
Apr 27 09:55:45 [22423] <ssh2:10>: auth requested for user 'IQ', service 'ssh-connection', using method 'password'
« Last Edit: April 27, 2017, 12:25:45 pm by sophie »

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5300
    • View Profile
    • http://www.castaglia.org/
OK, thanks.  Those trace logging messages make it appear that the SSH public key is not the issue.

In your previous log messages, there is this:

  chdir("/"): Permission denied

For the user logging in (user "IQ"?), what is their home directory?  What does `ls -aldn` show for that home directory)?

Offline sophie

  • New user
  • *
  • Posts: 9
    • View Profile


drwx------ 3 1013 1004 4096 Apr 26 10:46 /home/IQ

The other users have the same permissions,

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5300
    • View Profile
    • http://www.castaglia.org/
And is user "IQ" defined in /etc/passwd on your system, or something else?  In particular, I'd like to see which UID/GIDs are assigned to your user "IQ", to see if they line up with the permissions on that /home/IQ directory.

Offline sophie

  • New user
  • *
  • Posts: 9
    • View Profile
/etc/passwd

IQ gid = prosftpd  ( same for all other users )
IQ uid is unique.

Offline sophie

  • New user
  • *
  • Posts: 9
    • View Profile
I created another key  SSH2-RSA-1024 for another attempt.

Reading private key file "id_rsassh2.priv.ppk"
Pageant is running. Requesting keys.
Pageant has 1 SSH-2 keys
Configured key file not in Pageant
Using username "iq".
Offered public key
Offer of public key accepted
Authenticating with public key "rsa-key-1024-20170509"
Sent public key signature
Server refused public-key signature despite accepting key!
Server refused public-key signature despite accepting key!
iq@sftp.xxxx.xx.ee's password:



For some reason the server refuses the key and dropped back to password auth, which is disallowed and won't work.

The log contains, and this is the only entry in any of the log files.
/var/log/proftpd/sftp.log:May 09 10:11:41 mod_sftp/0.9.7[9944]: password authentication for user 'iq' failed: Incorrect password


« Last Edit: May 15, 2017, 12:56:08 pm by sophie »

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5300
    • View Profile
    • http://www.castaglia.org/
What are the commands you're using to create these keys?  I would like to try to reproduce this behavior locally.

Offline sophie

  • New user
  • *
  • Posts: 9
    • View Profile
Hi, It's this,  ( apologies for  the delay , I was away il )


read -p "+ Enter the new username : " username
read -p "+ Is he an admin (y/n)? [default n] : " admin
read -p "+ SSH Pub Key (optional): " key
adduser_command="adduser $username -g $proftpd_gid -s /bin/false"
$adduser_command
install -g proftpd -o $username -m 770 -d "$main_directory/$username"
if [ "_$key" != "_" ]; then
        install -g proftpd -o $username -m 700 -d "/home/$username/.ssh"
        echo $key > "/home/$username/.ssh/tmp"
        ssh-keygen -ef "/home/$username/.ssh/tmp" | grep -v "^Comment:" >> "/home/$username/.ssh/authorized_keys"
        chmod 600 "/home/$username/.ssh/authorized_keys"
        chown $username:proftpd -R "/home/$username/.ssh"
        rm -fr /home/$username/.ssh/tmp
fi