External authentication - missing password in POST payload

[gustaff-weldon]

Hi,

I'm planning to deploy SFTPGo in GCP, ideally via GCP marketplace and I'm evaluating it locally.

I need to authenticate sftp users against WorkOS (the sftp connections, not WebClient). Using OpenID seems to be only available via WebClient, so I have used External Authentication .

I'm running sftpgo from docker compose with no custom config file provided.

I have setup hook via SFTPGO_DATA_PROVIDER__EXTERNAL_AUTH_HOOK=http://auth:8000 and running simple python script that returns test user.

I have made this work if I was just returning from a hook a dummy user with json like:

{
        "status": 1,
        "username": "test_user",
        "password": "secret123",
        "home_dir": "/tmp/test_user",
        "expiration_date": 0,
        "uid": 0,
        "gid": 0,
        "max_sessions": 0,
        "quota_size": 0,
        "quota_files": 0,
        "permissions": {
            "/": [
                "*"
            ],
            "/somedir": [
                "list",
                "download"
            ]
        },
        "upload_bandwidth": 0,
        "download_bandwidth": 0,
        "filters": {
            "allowed_ip": [],
            "denied_ip": [],
            "external_auth_cache_time": 0
        },
        "public_keys": [],
        "virtual_folders": [
            {
                "id": 1,
                "name": "upload - user 1",
                "mapped_path": "/srv/sftpgo/upload/user1",
                "virtual_path": "/upload",
                "quota_size": -1,
                "quota_files": -1
            }
        ]
    }

Obviously, I would like to use the actual username/password provided to authenticate.
However, the external hook seems to be always called with an empty password, and keyboard_interactive set to 1, even for normal login (tested using Filezilla/Cyberduck clients for login)

eg. sample data from POST payload send to hook by sftpgo:

auth-1    | Body: b'{"ip":"192.168.107.1","keyboard_interactive":"1","password":"","protocol":"SSH","public_key":"","tls_cert":"","username":"test_user"}'

Why is the password not passed down to hook?
Also, do I need to return the password in user object, I would like external auth to take over entirely the user and auth and do not need any password to be stored by sftpg if possible.

[gustaff-weldon]

I think I have solved the issue of missing password by returning invalid auth when either username or password is missing. SFTPGo call the hook again, this time with password set and keyboard_interactive set to empty 🤷‍♂️

[gustaff-weldon]

So the questions to answer are:

• do I need to return the password in user object
• can I omit folder id in virtual folders?

Ideally, I would like the virtual folder (it will be a user folder in GCS) to be created on the fly, but I'm ok to create virtual folders per user via API earlier, I would need to know their ids in external auth program somehow which complicates matters

[fostermi]

You'd have to do some testing because in my experience, setting the user object updates EVERYTHING associated with the user. So if you didn't return the password field with the current password, my hunch is that it would then become empty. Again, you'd need to test this to confirm.

I'm pretty sure you can omit the id of the virtual folder in the user json object. However, the virtual folder must already exist in order for it to be added to a user's config. So you'd have to have your authentication script make another call to create a folder for the user before returning the user object to sftpgo. I don't think using IDs would work here because sftpgo would not have created the user yet. That part would come after the authentication hook ran. You'd have to user something like the username.

[gustaff-weldon]

@fostermi hey, thanks, I have tested omitting id and password in the meantime. In a gist what is happening now is:

authenticate(username, password):
    if not username or not password:
        return {
            "status": 0,
            "username": "",
        }

   ... actual logic of authentication against WorkOS

    return {
        "status": 1,
        "username": username,
        "home_dir": f"/tmp/{username}",
        "expiration_date": 0,
        "uid": 0,
        "gid": 0,
        "max_sessions": 0,
        "quota_size": 0,
        "quota_files": 0,
        "permissions": {
            "/": [
                "*"
            ]
        },
        "upload_bandwidth": 0,
        "download_bandwidth": 0,
        "filters": {
            "allowed_ip": [],
            "denied_ip": [],
            "external_auth_cache_time": 0
        },
        "public_keys": [],
        "virtual_folders": [
            {
                "name": f"download-{username}",
                "mapped_path": f"/srv/sftpgo/download/{username}",
                "virtual_path": "/download",
                "quota_size": -1,
                "quota_files": -1
            },
            {
                "name": f"upload-{username}",
                "mapped_path": f"/srv/sftpgo/upload/{username}",
                "virtual_path": "/upload",
                "quota_size": -1,
                "quota_files": -1
            }
        ]
    }

As you can see I have dropped password and folder id and that works.
I'm creating the virtual folder via API beforehand.
I'm going to experiment with dropping the mapped_path as well, since it is already defined in virtual folder so I hope I do not need to repeat it in the object returned from external auth hook

[drakkan]

I'm going to experiment with dropping the mapped_path as well, since it is already defined in virtual folder so I hope I do not need to repeat it in the object returned from external auth hook

It can be omitted.

As for the initial question, please note that many clients attempt keyboard-interactive authentication before password authentication; the two can appear very similar.

[gustaff-weldon]

thanks @drakkan,

re: the keyboard_interactive yeah, I was suspecting that client tried keyboard_interactive, even though I specifically said to use standard password method. Either way the solution was to return an empty user until a username/password were both passed and authenticated properly.

re: virtual folders mapped path - that is great news to avoid duplication.

Is there a way to auto-create the virtual folders based on output from auth hook with any version of sftpgo? (testing with oss one now locally)

[drakkan]

Is there a way to auto-create the virtual folders based on output from auth hook with any version of sftpgo? (testing with oss one now locally)

No, this option existed in the old version, where folders were part of the user. In the current version, folders are separate objects with their own permissions and must be created independently.