Certificate based login

[ledmirage]

Hi folks,

We tested SFTPGo with username/password and username/key login without any issue.

I would like to check if SFTPGo can support certificate base login. To be clear I am talking about certificate login for SFTP connection, not SSL certificate for httpd.

The use case is like we have CA server

• we can generate CA cert/key
• we can use the CA certs/key to sign/issue client certs
• user can then use the client cert to login, subject to cert validity (not expired or revoked)

From our point of view this method might be more scalable if we have many users and servers, so we can centrally manage the certs. Issuing of new client cert should not need to update individual server (I suppose the servers only need 1 time setup for CA cert/key).

I see in the config file there is trusted_user_ca_keys which i think might be related, but i am not sure how exactly is this configured.

Any advice is appreciated.

-Tse

[drakkan]

Hi,

SFTPGo supports SSH user certificate authentication just like OpenSSH.

trusted_user_ca_keys is just like TrustedUserCAKeys in OpenSSH.
You can also use public key authentication

[ZigZach]

Hello!

I'm working with Tse on the above issue. So far we have generated the required certificates and are able to utilize the user cert through ssh.

On the side of sftpgo, we are only able to connect using the user cert if trusted_user_ca_key is added in sftpgo.json and the users certificate.pub is defined on the sftpgo web portal for the specific user.

We are wondering if this is the correct behaviour? From our understanding, as long as the trusted user CA key and Host certificate are present, we should not have to define the certificate.pub on our host server.

[drakkan]

Hello!

I'm working with Tse on the above issue. So far we have generated the required certificates and are able to utilize the user cert through ssh.

On the side of sftpgo, we are only able to connect using the user cert if trusted_user_ca_key is added in sftpgo.json and the users certificate.pub is defined on the sftpgo web portal for the specific user.

We are wondering if this is the correct behaviour? From our understanding, as long as the trusted user CA key and Host certificate are present, we should not have to define the certificate.pub on our host server.

Hi,

the current SFTPGo implementation always checks the user certificate. So currently you have to set certificate.pub for each user.

I think you are correct and this additional check should be removed. Do you want to sponsor this feature? Thanks

[ZigZach]

Since the understanding is correct, could we also ask, since the certificate.pub is an additional check, would it be the case that it is using both the cert.pub and the trusted ca user key to do the verification? How do we check that it is actually connecting by means of certificate and not key.

Also, we noticed that there's no field to configure the HostCertificate, so in this case, the client will not be able to validate the server's identity if our understanding is right.

[drakkan]

Since the understanding is correct, could we also ask, since the certificate.pub is an additional check, would it be the case that it is using both the cert.pub and the trusted ca user key to do the verification? How do we check that it is actually connecting by means of certificate and not key.

this is already implemented

Also, we noticed that there's no field to configure the HostCertificate, so in this case, the client will not be able to validate the server's identity if our understanding is right.

This is another thing to test. Let me know if you are interested to this development

[ledmirage]

Hi drakkan,

I think Zach's first question was more to confirm the behavior, that if currently we configure BOTH user ca key and user cert, then SFTPGo is actually doing TWO validations:

1. using user ca key to verify the cert is issued by trusted CA,
2. and user cert to verify user identity.

If this is the case, then this discussion is can we remove the 2nd validation (user cert), and only do check using user ca public key (or depends on if user cert is added, if not, then just do user ca check) ?

Regards

[drakkan]

Hi drakkan,

I think Zach's first question was more to confirm the behavior, that if currently we configure BOTH user ca key and user cert, then SFTPGo is actually doing TWO validations:

1. using user ca key to verify the cert is issued by trusted CA,
2. and user cert to verify user identity.

I did a quick look at the code and we do both the checks

If this is the case, then this discussion is can we remove the 2nd validation (user cert), and only do check using user ca public key (or depends on if user cert is added, if not, then just do user ca check) ?

it is not just a matter of removing one check. This requires other code changes and several tests to ensure a proper behaviour.
And I also have to support the host key certificate that could require some changes to crypto/ssh

Regards

[ledmirage]

Understood, I am not implying the change is simple but just want to discuss what are the options we can go around implementing it (if we DO want to implement it)

my thinking is we can split as 2 changes as i think they should have no inter-dependency

1. make user cert check optional, the check is performed only if the cert data is provided, if not then do validation base on user ca public key

2. add support of host certificate so client side can do host validation

i can submit them as 2 feature requests, what do you think?

side tracking a bit, i make myself as sponsor for this project sometime back, but i dun think github got deduct anything from my paypal account, not sure what happened.

i can see the "sponsoring" badge when i view this project:

[drakkan]

Understood, I am not implying the change is simple but just want to discuss what are the options we can go around implementing it (if we DO want to implement it)

my thinking is we can split as 2 changes as i think they should have no inter-dependency

1. make user cert check optional, the check is performed only if the cert data is provided, if not then do validation base on user ca public key
2. add support of host certificate so client side can do host validation

i can submit them as 2 feature requests, what do you think?

I think you need to stop asking for free support and development, please send 2 pull requests, thanks

side tracking a bit, i make myself as sponsor for this project sometime back, but i dun think github got deduct anything from my paypal account, not sure what happened.

i can see the "sponsoring" badge when i view this project:

[ledmirage]

maybe u miss the last part, as i mentioned i did try to sponsor this project, but github doesn't seem to be deducting my paypal account ...

[ledmirage]

I just updated the payment method from paypal to credit card, lets see if it works better. I didn't realize the sponsor payment is not going thru until recently.