SSH public key fingerprints in mod_sftp logs

[offsides]

What I Did

Logged in using SSH key authentication with mod_sftp

What I Expected/Wanted

The public key SHA256 fingerprint is listed as '94:37:47:e7:77:82:c6:4a:d3:80:a8:66:09:2e:58:4b:39:40:22:63:b8:e7:e0:9f:20:94:1e:d8:e1:fa:c0:9e'. When I use ssh-keygen to show the SHA256 fingerprint, it looks like this: 'SHA256:lDdH53eCxkrTgKhmCS5YSzlAImO45+CfIJQe2OH6wJ4'. If I decode that base64 formatted fingerprint it looks like this: '00:b4:2d:87:eb:51:ee:8a:7a:3b:ce:57:e7:a9:3f:11:d5:ec:24:4c:c4:fe:2e:88:fb:b2:e3:67:39:19:d8:76'. I would have expected that the 2 fingerprints that were formatted the same would be the same, but they aren't. Ideally I'd like to see the SHA256 fingerprint in the same format that openssh uses, but that's not as critical. But I do need to be able to match fingerprints and something is definitely not matching up. If I need to do something different to calculate the hashes the way you are, I'm also open to that I just need to know what to do differently.

ProFTPD Version and Configuration

Please help us reproduce the problem/issue you are encountering. To do this,
we need to know which version of ProFTPD you are using, how it was built,
etc. The following command is an easy way to get all of this information:

# proftpd -V
Compile-time Settings:
  Version: 1.3.9rc2 (devel)
  Platform: LINUX [Linux 5.14.0-362.24.1.el9_3.x86_64 x86_64]
  OS/Release:
    NAME="Red Hat Enterprise Linux"
    VERSION="9.3 (Plow)"
    ID="rhel"
    ID_LIKE="fedora"
    VERSION_ID="9.3"
    PLATFORM_ID="platform:el9"
    PRETTY_NAME="Red Hat Enterprise Linux 9.3 (Plow)"
    CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"

    REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
    REDHAT_BUGZILLA_PRODUCT_VERSION=9.3
    REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
    REDHAT_SUPPORT_PRODUCT_VERSION="9.3"
  Built: Fri Feb 3 2023 00:00:00 UTC
  Built With:
    configure  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--libexecdir=/usr/libexec/proftpd' '--localstatedir=/run/proftpd' '--disable-strip' '--enable-ctrls' '--enable-dso' '--enable-facl' '--enable-ipv6' '--enable-memcache' '--enable-nls' '--enable-openssl' '--disable-pcre' '--enable-pcre2' '--disable-redis' '--enable-shadow' '--enable-tests=nonetwork' '--with-libraries=/usr/lib64/mariadb' '--with-includes=/usr/include/mysql' '--with-modules=mod_readme:mod_auth_pam:mod_tls' '--with-shared=mod_sql:mod_sql_passwd:mod_sql_mysql:mod_sql_postgres:mod_sql_sqlite:mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_radius:mod_quotatab_sql:mod_ldap:mod_ban:mod_ctrls_admin:mod_facl:mod_load:mod_vroot:mod_radius:mod_ratio:mod_rewrite:mod_site_misc:mod_exec:mod_shaper:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_copy:mod_deflate:mod_ifversion:mod_qos:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache:mod_tls_memcache:mod_unique_id:mod_clamav:mod_ifsession' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'

  CFLAGS: -g2 -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=forma
t-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -f
stack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fa
synchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wall -fno-omit-frame-pointer -fno-strict-aliasing -Werror=implicit-function-declaration
  LDFLAGS: -Wl,-L$(top_srcdir)/lib,-L$(top_builddir)/lib -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -rdynamic -L/usr/lib64/mariadb -L/usr/lib64/ -L/usr/lib64
  LIBS: -lacl  -lpcre2-posix -lpcre2-8 -lssl -lcrypto -lsodium -lcap  -lssl -lcrypto  -lpam -lattr -lidn2 -lcrypt -lmemcachedutil -lmemcached  -pthread

  Files:
    Configuration File:
      /etc/proftpd.conf
    Pid File:
      /run/proftpd/proftpd.pid
    Scoreboard File:
      /run/proftpd/proftpd.scoreboard
    Header Directory:
      /usr/include/proftpd
    Shared Module Directory:
      /usr/libexec/proftpd

  Info:
    + Max supported UID: 4294967295
    + Max supported GID: 4294967295

  Features:
    - Autoshadow support
    + Controls support
    + curses support
    - Developer support
    + DSO support
    + IPv6 support
    + Largefile support
    - Lastlog support
    + Memcache support
    + ncursesw support
    + NLS support
    + OpenSSL support (OpenSSL 3.0.7 1 Nov 2022, FIPS enabled)
    - PCRE support
    + PCRE2 support
    + POSIX ACL support
    - Redis support
    + Sendfile support
    + Shadow file support
    + Sodium support
    + Trace support
    + xattr support

  Tunable Options:
    PR_TUNABLE_BUFFER_SIZE = 1024
    PR_TUNABLE_DEFAULT_RCVBUFSZ = 65536
    PR_TUNABLE_DEFAULT_SNDBUFSZ = 65536
    PR_TUNABLE_ENV_MAX = 2048
    PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
    PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
    PR_TUNABLE_HASH_TABLE_SIZE = 40
    PR_TUNABLE_LOGIN_MAX = 256
    PR_TUNABLE_NEW_POOL_SIZE = 512
    PR_TUNABLE_PATH_MAX = 4096
    PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
    PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
    PR_TUNABLE_SELECT_TIMEOUT = 30
    PR_TUNABLE_TIMEOUTIDENT = 10
    PR_TUNABLE_TIMEOUTIDLE = 600
    PR_TUNABLE_TIMEOUTLINGER = 10
    PR_TUNABLE_TIMEOUTLOGIN = 300
    PR_TUNABLE_TIMEOUTNOXFER = 300
    PR_TUNABLE_TIMEOUTSTALLED = 3600
    PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

I can give you the proftpd.conf file if you need it, but I don't know of anything in it that would affect how SSH key fingerprints were calculated and logged. The log in question is the SFTPLog directive.

[Castaglia]

You might see if #1804 helps with the logging. Also, the fingerprints logged may depend on the SFTP client being used. For example, OpenSSH may try all of the keys in its local ssh-agent, resulting in multiple fingerprints being logged by mod_sftp, until it finds the matching/authorized key.

[Castaglia]

On pondering this more, I've closed the PR. Instead, I'm hoping you can provide the logging that you see, when a client authenticates using a public key, showing the fingerprint (or maybe more than one?). Thanks!

[offsides]

OK, so I don't know how this happened, but somehow the base64 decoding of the openSSH key fingerprint must've gotten messed up, because in trying to get log info for you just now it does match up to what mod_sftp is logging. The only issue now is that when mod_sftp logs the key fingerprint, it's using the XX:XX:XX:... format, whereas ssh-keygen -l uses the base64 encoding of the binary key fingerprint. While that does make it a little harder to line things up, it's not a dealbreaker. I have no idea how I was getting mismatched fingerprints before, but it's not actually mismatched now so I'm just going to close this unless I run into other issues later.

[Castaglia]

I'll ponder some option/way to configure the format/encoding used when logging these fingerprints. (The fact that ssh-keygen changed its format/encoding, without providing a way to select, is irritating.) I didn't want to just change the logging in mod_sftp, as doing so could (and probably would) break compatibility with some sites' setup.

[offsides]

As I said, it's not a huge deal that the format isn't the same as long as the underlying data is the same. I can easily implement a way to convert the fingerprint into the format the mod_sftp uses for checking against logged values, and it's not like it's something that comes up all the time, it's more of a once in a while issue. While it would be nice if I could have it log in the openssh format, it's most definitely not a big deal.