Start a new topic

SSH Keys and LDAP

Is it possible to have ssh keys no longer work if an account is disabled or deleted in Active Directory?  I have tested using an ssh key and AD password but when I disable the account in AD the ssh key is still accepted.  This is in LDAP only used for Authentication mode (which would be needed to manage access to multiple folders).

Enable "debug" on the LDPA plugin.  It dumps to the log the different properties it looked up.

What one of those specific property names has a value indicating the account is disabled?

Let me know if this has what you are looking for.  This is from a login attempt with the account disabled.

31754 GENERAL|11/30/2017 22:48:23.438|CrushLDAPGroup:searchLocation:DC=domain,DC=com

31755 GENERAL|11/30/2017 22:48:23.438|CrushLDAPGroup:searchFilter:sAMAccountName=sftptest1

31756 GENERAL|11/30/2017 22:48:23.438|CrushLDAPGroup:Found 1 urls.

31757 GENERAL|11/30/2017 22:48:23.438|CrushLDAPGroup:Trying URL:ldap://

31758 GENERAL|11/30/2017 22:48:23.438|CrushLDAPGroup:username: domain\svcacct-crushftp

31759 GENERAL|11/30/2017 22:48:23.438|CrushLDAPGroup:url=ldap://

31760 GENERAL|11/30/2017 22:48:23.448|CrushLDAPGroup:CheckLogin...username:CN=sftptest1,OU=SFTP Accounts,OU=User Accounts,DC=domain,DC=com

31761 GENERAL|11/30/2017 22:48:23.448|CrushLDAPGroup:Found 1 urls.

31762 GENERAL|11/30/2017 22:48:23.448|CrushLDAPGroup:Trying URL:ldap://

31763 GENERAL|11/30/2017 22:48:23.448|CrushLDAPGroup:username: CN=sftptest1,OU=SFTP Accounts,OU=User Accounts,DC=domain,DC=com

31764 GENERAL|11/30/2017 22:48:23.448|CrushLDAPGroup:url=ldap://

31765 GENERAL|11/30/2017 22:48:23.451|pool-1-thread-39374

31766 GENERAL|11/30/2017 22:48:23.451|javax.naming.NamingException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 533, v2580]

31767 GENERAL|11/30/2017 22:48:23.451|CrushLDAPGroup.Start.getInitialDirContext:891

31768 GENERAL|11/30/2017 22:48:23.451|CrushLDAPGroup.Start.checkLogin:794

31769 GENERAL|11/30/2017 22:48:23.451|CrushLDAPGroup.Start.loadUserResult:299

31770 GENERAL|11/30/2017 22:48:23.451|CrushLDAPGroup.Start.loadUser:247

31771 GENERAL|11/30/2017 22:48:23.451|

31772 GENERAL|11/30/2017 22:48:23.451|sun.reflect.GeneratedMethodAccessor15.invoke:-1

31773 GENERAL|11/30/2017 22:48:23.451|sun.reflect.DelegatingMethodAccessorImpl.invoke:43

31774 GENERAL|11/30/2017 22:48:23.451|java.lang.reflect.Method.invoke:498

31775 GENERAL|11/30/2017 22:48:23.451|crushftp.handlers.Common.runPlugin:4416

31776 GENERAL|11/30/2017 22:48:23.451|crushftp.server.ServerStatus.runPlugins:3652

31777 GENERAL|11/30/2017 22:48:23.451|crushftp.handlers.SessionCrush.runPlugin:1385

31778 GENERAL|11/30/2017 22:48:23.451|crushftp.handlers.SessionCrush.verify_user:1710

31779 GENERAL|11/30/2017 22:48:23.451|crushftp.handlers.SessionCrush.login_user_pass:2652

31780 GENERAL|11/30/2017 22:48:23.451|crushftp.handlers.SessionCrush.login_user_pass:2542

31781 GENERAL|11/30/2017 22:48:23.451|crushftp.handlers.SessionCrush.login_user_pass:2513

31782 GENERAL|11/30/2017 22:48:23.451|crushftp.server.ssh.PasswordAuthenticationProviderImpl.verifyPassword:29

31783 GENERAL|11/30/2017 22:48:23.451|com.maverick.sshd.PasswordKeyboardInteractiveProvider.setResponse:56

31784 GENERAL|11/30/2017 22:48:23.451|com.maverick.sshd.KeyboardInteractiveAuthentication$

31785 GENERAL|11/30/2017 22:48:23.451|com.maverick.ssh.ExecutorOperationSupport$OperationTask.executeAllTasks:142

31786 GENERAL|11/30/2017 22:48:23.451|com.maverick.ssh.ExecutorOperationSupport$

31787 GENERAL|11/30/2017 22:48:23.451|java.util.concurrent.Executors$

31788 GENERAL|11/30/2017 22:48:23.451|

31789 GENERAL|11/30/2017 22:48:23.451|java.util.concurrent.ThreadPoolExecutor.runWorker:1142

31790 GENERAL|11/30/2017 22:48:23.451|java.util.concurrent.ThreadPoolExecutor$

31791 GENERAL|11/30/2017 22:48:23.451|

31792 GENERAL|11/30/2017 22:48:23.451|CrushLDAPGroup:CheckLogin...CN=sftptest1,OU=SFTP Accounts,OU=User Accounts,DC=domain,DC=com failed, checking username:sftptest1

31793 GENERAL|11/30/2017 22:48:23.451|CrushLDAPGroup:Found 1 urls.

31794 GENERAL|11/30/2017 22:48:23.451|CrushLDAPGroup:Trying URL:ldap://

31795 GENERAL|11/30/2017 22:48:23.451|CrushLDAPGroup:username: sftptest1

31796 GENERAL|11/30/2017 22:48:23.451|CrushLDAPGroup:url=ldap://

31797 GENERAL|11/30/2017 22:48:23.453|pool-1-thread-39374

31798 GENERAL|11/30/2017 22:48:23.453|javax.naming.NamingException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 533, v2580]

31799 GENERAL|11/30/2017 22:48:23.453|CrushLDAPGroup.Start.getInitialDirContext:891

31800 GENERAL|11/30/2017 22:48:23.453|CrushLDAPGroup.Start.checkLogin:802

31801 GENERAL|11/30/2017 22:48:23.453|CrushLDAPGroup.Start.loadUserResult:299

31802 GENERAL|11/30/2017 22:48:23.453|CrushLDAPGroup.Start.loadUser:247

31803 GENERAL|11/30/2017 22:48:23.453|

31804 GENERAL|11/30/2017 22:48:23.453|sun.reflect.GeneratedMethodAccessor15.invoke:-1

31805 GENERAL|11/30/2017 22:48:23.453|sun.reflect.DelegatingMethodAccessorImpl.invoke:43

31806 GENERAL|11/30/2017 22:48:23.453|java.lang.reflect.Method.invoke:498

31807 GENERAL|11/30/2017 22:48:23.453|crushftp.handlers.Common.runPlugin:4416

31808 GENERAL|11/30/2017 22:48:23.453|crushftp.server.ServerStatus.runPlugins:3652

31809 GENERAL|11/30/2017 22:48:23.453|crushftp.handlers.SessionCrush.runPlugin:1385

31810 GENERAL|11/30/2017 22:48:23.453|crushftp.handlers.SessionCrush.verify_user:1710

31811 GENERAL|11/30/2017 22:48:23.453|crushftp.handlers.SessionCrush.login_user_pass:2652

31812 GENERAL|11/30/2017 22:48:23.453|crushftp.handlers.SessionCrush.login_user_pass:2542

31813 GENERAL|11/30/2017 22:48:23.453|crushftp.handlers.SessionCrush.login_user_pass:2513

31814 GENERAL|11/30/2017 22:48:23.453|crushftp.server.ssh.PasswordAuthenticationProviderImpl.verifyPassword:29

31815 GENERAL|11/30/2017 22:48:23.453|com.maverick.sshd.PasswordKeyboardInteractiveProvider.setResponse:56

31816 GENERAL|11/30/2017 22:48:23.453|com.maverick.sshd.KeyboardInteractiveAuthentication$

31817 GENERAL|11/30/2017 22:48:23.453|com.maverick.ssh.ExecutorOperationSupport$OperationTask.executeAllTasks:142

31818 GENERAL|11/30/2017 22:48:23.453|com.maverick.ssh.ExecutorOperationSupport$

31819 GENERAL|11/30/2017 22:48:23.453|java.util.concurrent.Executors$

31820 GENERAL|11/30/2017 22:48:23.453|

31821 GENERAL|11/30/2017 22:48:23.453|java.util.concurrent.ThreadPoolExecutor.runWorker:1142

31822 GENERAL|11/30/2017 22:48:23.453|java.util.concurrent.ThreadPoolExecutor$

31823 GENERAL|11/30/2017 22:48:23.453|

31824 GENERAL|11/30/2017 22:48:23.453|CrushLDAPGroup:Checking login information for user.

31825 Looking up user's information...

31826 javax.naming.NamingException: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 533, v2580]

31827 Success login:false

31828 found_user:false

31829 foundHomeDir:false

31830 loadedUser:false

31831 authenticationOnly:true

31832 authenticationOnlyExists:true

31833 <b>Overall success: false</b>

31834 STOR|11/30/2017 22:48:23.453|[SFTP:5887746_0:sftptest1:] WROTE: *530 Access denied.*

That as a password login failure...bad password.

This wasn't a success SFTP key based login...

There are no entries in the logs from the plugin when I log in via ssh key.  The same happens regardless of the account being enabled or disabled in AD.  

ACCEPT|11/30/2017 23:44:08.736|[SFTP:5902074_0:sftptest1:] READ: *Verifying username and public key sftptest1.*

ACCEPT|11/30/2017 23:44:08.745|[SFTP:5902074_0:sftptest1:] READ: *Accepted public key for sftptest1:ssh-rsa public key value*

USER|11/30/2017 23:44:08.746|[SFTP:5902074_0:sftptest1:] READ: *USER sftptest1*

PASS|11/30/2017 23:44:08.746|[SFTP:5902074_0:sftptest1:] READ: *PASS PublicKeyAuthentication*

Our latest build should now honor this in the way you were expecting.  Update and verify please.




I updated to 8.2.0_32 and am seeing the same behavior as before, let me know if there is a newer update.  I assume that the software looks for local login methods before checking for an AD match via the LDAP plugin.  Is this correct?

That is the latest build (well now its _33, but that was the latest).

It now checks the LDAP field "userAccountControl" for being disabled, and if so, they are not looked up and usable.

Yes, local accounts are found first in he User Manager if any, then plugins come after that.

Updated to _33 and still no luck but since the key is set in User Manager I guess it will never check to see if the account is disable or not in AD due to finding an authentication method before it even gets to the plugin.  Sounds like we will just have to disable, delete, or remove the key in User management if we have a termination.  Was hoping that it would query AD first for security purposes since that is usually the first account we disable when an employee leaves the company.

You could put the key in their LDAP profile, and not have it in the User Manager.....

Then its all LDAP based...  LDAP plugin allows you to map a field like "description" to be "ssh_public_keys" so that would be used in CrushFTP.

Thanks Ben.  I have created created the mapping in the plugin and have put the public key in the field.  I assume there is another place I will need to set crushftp to use that field as the public key, is that correct?

If you used those exact names, you have the mapping done now in the plugin.  That is it.  Rename your User Manager user and validate LDAP does it all now.

I did use the same names.  Why would I rename the user in User Manager?


Are you trying tot best if this works, or are you trying to use the User Manager for authentication and ssh keys?

As long as the user is in the User Manager, your LDAP is irrelevant.  Its not used.

So to test this, you can't have the same named user in the User Manager.

I thought I needed the user in User Manager to apply specific VFS settings.   

Login to post a comment