Project

General

Profile

Actions

Feature #14899

open

Feature request - better acknowledgment and validation of the user's public key format

Added by Wolfgang Thegreat about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

Hello,

This feature request is following my community post at https://forum.netgate.com/topic/183514/cannot-ssh-login-using-public-key, which is more detailed.

A long story short - I could not SSH login using a public key since I assigned to the default admin user a public key that was using SSH2 format, while pfSense supports OpenSSH format (at least, I don't know if it support more formats).

At first sshguard decided this SSH2 key is an attack, so it blocked me, with a log message of:
"
pfSense sshguard ... Attack from "x.x.x.x" on service SSH with danger 10.
Blocking "x.x.x.x/32" for 240 secs (3 attacks in 1530 secs, after 2 abuses over 1958 secs.)
"

After adding my IP to the whitelist of login protection, it still denied my access with that key, this time with a log text of:
"
Oct 20 06:19:18 pfSense sshd[xxx]: error: Received disconnect from x.x.x.x port 6692:13: User request [preauth]
Oct 20 06:19:18 pfSense sshd[xxx]: Disconnected from authenticating user admin x.x.x.x port 6692 [preauth]
"

Once I changed the key at the user page to be in OpenSSH format, all is working fine, even when I removed my IP from the login protection whitelist.

So, I with to ask that Negate will:

1.
Add at https://docs.netgate.com/pfsense/en/latest/usermanager/users.html, at the SSH Public key section, info about the need to use a correct public key format, of OpenSSH (preferred with a sample key(s) to show folks how it should look like)

2.
Add to the user attributes GUI an input text validator mechanism, for the pub key field, to accept only the correct OpenSSH format (I guess it can be done with regex) and warn if it is not in the correct format. And of course, not save the key if it is in the wrong format if the user still presses "save" on that page

  • Sample of OpenSSH format of a public key, the CORRECT format ***
    (these are only general format samples, to get a general visual idea, they are not the original content and are not valid for actual use, the content was intentionally changed at these samples):

ed25519 based

ssh-ed25519 AAA3CzNzaC1lZDIoqTE5AAAAINYE4MbzehJH1C7RIVVeqw8m5wg5vCC4PDYFjGdbdxfP

RSA based

ssh-rsa AAAAB3NzaC1yc2EAAAADAYABAAACAzCtXvp5xUFTi7pra1wEGxh0/Y40JpkYZE/U8BKhiJyypJR5qJO8uw8ZjNthgGSXPBCAwPFndzN0TzgX7fJONazIUskVK03JQPw/yKqVAMu93AnApCSiywlRjUf2Mcbe/E1qQ3onsbX2uCajNRp63KdSwYZGTslO6xhjWjslDw67/MOOouuNmWr67b6b4FRzBoZU4ZllPU7ChViukayump2FbCEdJxwJjq7q552uILUwjUMi0c3MLIiRXRZIizox2A8tledHe0vcGu7z1a5ofnS0P0LwfVs6C9c7ypQYT3gEGdPWMS2OBABg/vuJ0LCGVr6AJCsX5VFo6kUtWBMgnhoRqlGO8uBPGzHhWY8UeRBLufkljUQPPEapIxViZC2KQjMC2unjnZU3Sqwz9++DpspHdP9+pLwrx7CtFQNIsmmNX4Cwcv6OBqQLXXhnW56v2e6+XezvdpQ8dUgndRH0z2iVAaCbxE3oM6VcMw91uJTpN3jPjVEryi8tZgUTr922dd42lZtf9y0c8DciXOIr7F6zedGepD5S9zc5LjKi1Gu5U7kyM3fr0uACulu1fXscHUQFhaHpf4f3Yz7p+d9QxwUj6EANo9BNsmP00L7vGXP6PpaoXDLdEeunUCO35Zptdke4BjUAxy1HDy+dt1VMoSAYdnFPwCtidqTcNsmBWOaLKQ==

  • Sample of the SSH2 format of a public key, the WRONG format ***

ed25519 based

---- BEGIN SSH2 PUBLIC KEY ----
AAAAC3NzaC1lzDI1NTE5AAAAINYE4MbzehJH1CdRIVVeqw5m8wg5vCC4PDYFjGZbdsfP
---- END SSH2 PUBLIC KEY ----

RSA based

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAACAQCtXvp5xUFTi7pra1wEGxh0/Y40JpkYZE/U8BKhiJyy
pJR3qJO8uw8ZjNthgGSXPBCAwPFndzN0ezgX7fJONazIUskVK03JQPw/yKqVAMu93AnApCSi
ywlRjUf2Mcbe/E1qQ3onsbX2uCajNRp63KdSwYZGTslO6xhjWjslDw67/MOOouuNmWr67b6b
4FRzBoZU4ZllPU7ChViukayump2FbCEdJxwJjq7q552uILUwjUMi0c3MLIiRXRZIizox2A8t
ledHe0gcGu7z1a5ofnS0P0LwfVs6C9c7ypQYTegEGdPWMS2OBABg/vuJ0LCGVr6AJCsX5VFo
6kUtWBMgnhoRqlGO8uBPGzHhWY8UeRBLufkljUQPPEapIxViZC2KQjMC2unjnZU3Sqwz9++D
pspHdP9+pLwrx7CtFQNIsmmNX4Cwcv6OBq/LXXhnW56v2e6+XezvdpQ8dUgndRH0z2iVAaCb
xE3oM6VcMw91uJTpN3jPjVEryi8tZgUTr922dd42lZtf9y0c8DciXOIr7F6zedGepD5S9zc5
LjKi1Gu5U7ByM3fr0uACuluadXscHUQFhaHpf4f3Yz7p+d9QxwUj6EANo9BNsmP00L7vGXP6
PpaoXDLdEgunUCO35Zptdke4BjUAxy1HDy+de1VMoSAYdnFPwCtidqTcNsmBWOaLKQ==
---- END SSH2 PUBLIC KEY ----

No data to display

Actions

Also available in: Atom PDF