New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH public key fingerprints in mod_sftp logs #1803
Comments
You might see if #1804 helps with the logging. Also, the fingerprints logged may depend on the SFTP client being used. For example, OpenSSH may try all of the keys in its local |
On pondering this more, I've closed the PR. Instead, I'm hoping you can provide the logging that you see, when a client authenticates using a public key, showing the fingerprint (or maybe more than one?). Thanks! |
OK, so I don't know how this happened, but somehow the base64 decoding of the openSSH key fingerprint must've gotten messed up, because in trying to get log info for you just now it does match up to what mod_sftp is logging. The only issue now is that when mod_sftp logs the key fingerprint, it's using the XX:XX:XX:... format, whereas ssh-keygen -l uses the base64 encoding of the binary key fingerprint. While that does make it a little harder to line things up, it's not a dealbreaker. I have no idea how I was getting mismatched fingerprints before, but it's not actually mismatched now so I'm just going to close this unless I run into other issues later. |
I'll ponder some option/way to configure the format/encoding used when logging these fingerprints. (The fact that |
As I said, it's not a huge deal that the format isn't the same as long as the underlying data is the same. I can easily implement a way to convert the fingerprint into the format the mod_sftp uses for checking against logged values, and it's not like it's something that comes up all the time, it's more of a once in a while issue. While it would be nice if I could have it log in the openssh format, it's most definitely not a big deal. |
What I Did
Logged in using SSH key authentication with mod_sftp
What I Expected/Wanted
The public key SHA256 fingerprint is listed as '94:37:47:e7:77:82:c6:4a:d3:80:a8:66:09:2e:58:4b:39:40:22:63:b8:e7:e0:9f:20:94:1e:d8:e1:fa:c0:9e'. When I use ssh-keygen to show the SHA256 fingerprint, it looks like this: 'SHA256:lDdH53eCxkrTgKhmCS5YSzlAImO45+CfIJQe2OH6wJ4'. If I decode that base64 formatted fingerprint it looks like this: '00:b4:2d:87:eb:51:ee:8a:7a:3b:ce:57:e7:a9:3f:11:d5:ec:24:4c:c4:fe:2e:88:fb:b2:e3:67:39:19:d8:76'. I would have expected that the 2 fingerprints that were formatted the same would be the same, but they aren't. Ideally I'd like to see the SHA256 fingerprint in the same format that openssh uses, but that's not as critical. But I do need to be able to match fingerprints and something is definitely not matching up. If I need to do something different to calculate the hashes the way you are, I'm also open to that I just need to know what to do differently.
ProFTPD Version and Configuration
Please help us reproduce the problem/issue you are encountering. To do this,
we need to know which version of ProFTPD you are using, how it was built,
etc. The following command is an easy way to get all of this information:
I can give you the proftpd.conf file if you need it, but I don't know of anything in it that would affect how SSH key fingerprints were calculated and logged. The log in question is the SFTPLog directive.
The text was updated successfully, but these errors were encountered: