sftpd: add support for SSH user certificate authentication

This add support for PROTOCOL.certkeys vendor extension: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.8 Fixes #117 Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-07 23:00:55 +03:00 · 2020-05-15 20:08:53 +02:00
parent 82fb7f8cf0
commit 738c7ab43e
12 changed files with 346 additions and 56 deletions
--- a/sftpd/internal_test.go
+++ b/sftpd/internal_test.go
@@ -17,6 +17,7 @@ import (
 	"github.com/eikenb/pipeat"
 	"github.com/pkg/sftp"
 	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/ssh"

 	"github.com/drakkan/sftpgo/dataprovider"
 	"github.com/drakkan/sftpgo/utils"
@@ -1734,3 +1735,41 @@ func TestProxyProtocolVersion(t *testing.T) {
 	_, err = c.getProxyListener(nil)
 	assert.Error(t, err)
 }
+
+func TestLoadHostKeys(t *testing.T) {
+	c := Configuration{}
+	c.Keys = []Key{
+		{
+			PrivateKey: "missing file",
+		},
+	}
+	err := c.checkAndLoadHostKeys("..", &ssh.ServerConfig{})
+	assert.Error(t, err)
+	testfile := filepath.Join(os.TempDir(), "invalidkey")
+	err = ioutil.WriteFile(testfile, []byte("some bytes"), 0666)
+	assert.NoError(t, err)
+	c.Keys = []Key{
+		{
+			PrivateKey: testfile,
+		},
+	}
+	err = c.checkAndLoadHostKeys("..", &ssh.ServerConfig{})
+	assert.Error(t, err)
+	err = os.Remove(testfile)
+	assert.NoError(t, err)
+}
+
+func TestCertCheckerInitErrors(t *testing.T) {
+	c := Configuration{}
+	c.TrustedUserCAKeys = append(c.TrustedUserCAKeys, "missing file")
+	err := c.initializeCertChecker("")
+	assert.Error(t, err)
+	testfile := filepath.Join(os.TempDir(), "invalidkey")
+	err = ioutil.WriteFile(testfile, []byte("some bytes"), 0666)
+	assert.NoError(t, err)
+	c.TrustedUserCAKeys = []string{testfile}
+	err = c.initializeCertChecker("")
+	assert.Error(t, err)
+	err = os.Remove(testfile)
+	assert.NoError(t, err)
+}