2

I've set up mod_sftp with ProFTPD, and for some reason it still prompts me for a password when I connect.

This is my conf.d/myserver file:

SFTPEngine on
SFTPLog /var/log/sftp.log
Port 7770
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u
SFTPCompression delayed
MaxLoginAttempts 6
DefaultRoot ~
Umask 002
CreateHome on 770 dirmode 770

And the public key for the user is in /etc/proftpd/authorized_keys.

Castaglia
  • 3,349
  • 3
  • 21
  • 42
CaptSaltyJack
  • 638
  • 2
  • 13
  • 36
  • Make sure the user ProFTPD is running as can access the public key file(s). – Brian Jul 19 '15 at 00:17
  • Yep, no problem there. – CaptSaltyJack Jul 19 '15 at 00:18
  • Can try adding `SFTPAuthMethods publickey` (will block using passwords) but the default should already be `publickey password` - perhaps the client doesn't have the private key or is set to always try to use a password? – Brian Jul 19 '15 at 00:25
  • can you check/report the permissions on the users authorized_keys file in `/etc/proftpd/authorized_keys/%u` as well as ownership? – Matt Jul 20 '15 at 22:00

2 Answers2

3

I experienced this, and it was caused by what looks like a bug in ssh-keygen that manifests when you convert the ssh-rsa format key into the RFC-4716 key format: the Comment header is too long.

To confirm that this is happening to you, enable the SFTPLog option in your proftpd.conf file, then in the SFTP log file you'll see lines like the following, specifically the "line too long" part:

Jul 25 19:11:25 mod_sftp/0.9.7[16355]: public key fingerprint: 77:fa:c7:d6:da:b9:99:6f:9d:5f:74:30:ba:09:4f:e9
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: line too long (74) on line 1 of '/etc/proftpd.d/authorized_keys/myusername'
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: Make sure that '/etc/proftpd.d/authorized_keys/myusername' is a RFC4716 formatted key
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: error base64-decoding key data in '/etc/proftpd.d/authorized_keys/myusername'
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: error comparing keys from '/etc/proftpd.d/authorized_keys/myusername': Invalid argument
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: sending userauth failure; remaining userauth methods: publickey,password
Jul 25 19:11:29 mod_sftp/0.9.7[16355]: disconnecting client (received EOF)

Take a look at the offending key, and you'll see how it sticks out: Excess line text

Trim that off with your text editor of choice, and key auth should start working. Using bash it looks like this, where user.pub is your key file:

cut -c 1-72 user.pub | sed '/^Comment: "[^"]*$/ s/$/"/' > user.pub

If you instead want to keep the whole comment, you'll need to escape the end of the line and put it on the next one. See the example section of RFC 4716 for how you can re-format comments.

Finally, I ran into this problem using ssh-keygen on CentOS 6.9. The version I have on Mac OS Sierra truncates the key comments properly to avoid this problem.

Community
  • 1
Andrew Bobulsky
  • 131
  • 5
1

The current value of SFTPAuthorizedUserKeys is set to use per-user files of authorized keys. I would guess that for a given user, let's use jsmith as an example, their key would need to go into a file called /etc/proftpd/authorized_keys/jsmith.

To get your current setup working try changing the value of SFTPAuthorizedUserKeys to /etc/proftpd/authorized_keys.

See http://www.proftpd.org/docs/contrib/mod_sftp.html#SFTPAuthorizedUserKeys for more detail.

mmccowan
  • 216
  • 1
  • 4