Azure Multiple SSH Keys per User
Background
You can add multiple SSH keys to the same SFTP user. This is not supported in the web interface, so you'll have to do this manually at the command line.
First, you need to slightly modify one of our bash scripts.
Second, you'll update the SFTP user's object in the LDAP database using the ldapmodify
command.
sshldap.sh
command
Edit the Edit the sshldap.sh
script:
vi /usr/local/bin/sshldap.sh
Replace the following line:
pub_key=$(ldapsearch -xLLL -D "cn=admin" -w $PASSWORD -l 0 -o nettimeout=none -o ldif-wrap=no "cn=$user" -b "dc=sftpgateway,dc=com" sshPublicKey | sed -n 's/sshPublicKey: //gp' | xargs)
With this:
pub_key=$(ldapsearch -xLLL -D "cn=admin" -w $PASSWORD -l 0 -o nettimeout=none -o ldif-wrap=no "cn=$user" -b "dc=sftpgateway,dc=com" sshPublicKey | sed -n 's/sshPublicKey: //gp')
(The main differences is that you are removing the | xargs
toward the end of the line.)
Note: This change only needs to be performed once.
addkey.ldif
file
Create the Next, you will create a temporary file that contains the LDAP change you wish to make.
Create this file with this command:
touch /tmp/addkey.ldif
And add the following contents:
dn: uid=robtest,ou=People,dc=sftpgateway,dc=com
changeType: modify
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3Nz2EAAAADAQABAAA...CAQCfghj34eYeQ==
Make sure that you replace robtest
and ssh-rsa AAAAB3Nz2EAAAADAQABAAA...CAQCfghj34eYeQ==
with your own values.
Note: Do not include any trailing spaces after the sshPublicKey
value.
ldapmodify
command
Run the Finally, you will execute the LDAP command you created in the previous step.
First, get the LDAP password, and save it to a variable:
ldappassword=$(sudo grep ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)
Next, use this password along with the ldapmodify
command to execute the addkey.ldif
file you created earlier.
ldapmodify -D cn=admin -w $ldappassword -f /tmp/addkey.ldif
Verify that multiple public keys are assigned
Try connecting over SFTP with your private key. If all went well, you should be logged in.
Troubleshooting
If you're not able to connect via SFTP with the new SSH key pair, there are a couple of things you can check.
Run the following command:
sshldap.sh robtest
You should see two public keys:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3/RV6jloApIKs7rbO898Ktc7tdo6TCaPqQwfOKqTqR4cjRAz7b0EpSQO7s21kqKnbgBOn7wtCsVNUNaGQw5SmHSL75oR1+I8hAVG5zh2PDp5853mHffhiCErf1KZwId9BeGkQhvEb/KGX+rdB8atxitdMT0DGy3mRr6UawTovm+bHDJclY+XYaxckI7Q0h1VhgwU3bomIsd/9kDaqr6v1jADlDKyE/H5309hloZHAVazB8wSROUffoXT26UHBZoqh55b1MgXqYMhw2XNWzvyhWW4DCgK0UFftMQqCZsd3m38GopHY/dtkYpJPExBo2Ig5hjQBRS+9RWapvR+B74u5 sftpgw@rob-testing-multiple-pub-ssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCiK/y9H4Nv3w8QrMoPIL8znaV0rsDB6MabLU3uG5qckpV9vTzvvUEc0gT/DGBoIl1hTB2uOQdIcapQoowI8rpImg3ePy+HBz2EUwUyU9//BhmO1WCis9IRpclh0mK6mUJqWagZuFABWCBVyzcEAUldX+rJV9IPVoDsxF/bZN7GJpPMRkV6b6iDhnfxVkXzymei1roWx6AZ1w3OuIE71rN1rEgXgCk3BMUAZgkgM5P+Fo+xEyTanRsy10pFMQWDmysNBXyvh0wof2rOJYFT0ZAHJEL59WXbReYCYqhkdQceyHjMHpflDhtC/GGs0Sc+gPxPclCjGBEtsQXlbnNKEbh robtest.key
If the format of your output looks different, the next step is to check the user object in LDAP.
The SFTP user should have two sshPublicKey
properties in LDAP -- one for each SSH public key.
Run the following command (replacing the value of robtest
):
ldapsearch -D cn=admin -w $ldappassword -b uid=robtest,ou=People,dc=sftpgateway,dc=com
You should see two properties named sshPublicKey
:
# robtest, People, sftpgateway.com
dn: uid=robtest,ou=People,dc=sftpgateway,dc=com
encryptionOption: 1
objectClass: account
objectClass: posixAccount
objectClass: sftpUser
objectClass: top
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3/RV6jloApIKs7rbO898Ktc7t
do6TCaPqQwfOKqTqR4cjRAz7b0EpSQO7s21kqKnbgBOn7wtCsVNUNaGQw5SmHSL75oR1+I8hAVG5z
h2PDp5853mHffhiCErf1KZwId9BeGkQhvEb/KGX+rdB8atxitdMT0DGy3mRr6UawTovm+bHDJclY+
XYaxckI7Q0h1VhgwU3bomIsd/9kDaqr6v1jADlDKyE/H5309hloZHAVazB8wSROUffoXT26UHBZoq
h55b1MgXqYMhw2XNWzvyhWW4DCgK0UFftMQqCZsd3m38GopHY/dtkYpJPExBo2Ig5hjQBRS+9RWap
vR+B74u5 sftpgw@rob-testing-multiple-pub-ssh
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCiK/y9H4Nv3w8QrMoPIL8znaV
0rsDB6MabLU3uG5qckpV9vTzvvUEc0gT/DGBoIl1hTB2uOQdIcapQoowI8rpImg3ePy+HBz2EUwUy
U9//BhmO1WCis9IRpclh0mK6mUJqWagZuFABWCBVyzcEAUldX+rJV9IPVoDsxF/bZN7GJpPMRkV6b
6iDhnfxVkXzymei1roWx6AZ1w3OuIE71rN1rEgXgCk3BMUAZgkgM5P+Fo+xEyTanRsy10pFMQWDmy
sNBXyvh0wof2rOJYFT0ZAHJEL59WXbReYCYqhkdQceyHjMHpflDhtC/GGs0Sc+gPxPclCjGBEtsQX
lbnNKEbh robtest.key
uid: robtest
homeDirectory: /home/robtest
cn: robtest
uidNumber: 100002
gidNumber: 100002
Each public key should have three fields (separated by spaces):
- The string
ssh-rsa
- The contents of the public key
- An optional comment
Note: If you accidentally included trailing spaces in the LDIF file, the sshPublicKey
value
will become corrupt like this:
sshPublicKey:: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEQ2lLL3k5SDR
OdjN3OFFyTW9QSUw4em5hVjByc0RCNk1hYkxVM3VHNXFja3BWOXZUenZ2VUVjMGdUL0RHQm9JbDFo
VEIydU9RZEljYXBRb293SThycEltZzNlUHkrSEJ6MkVVd1V5VTkvL0JobU8xV0NpczlJUnBjbGgwb
Us2bVVKcVdhZ1p1RkFCV0NCVnl6Y0VBVWxkWCtySlY5SVBWb0RzeEYvYlpON0dKcFBNUmtWNmI2aU
RobmZ4VmtYenltZWkxcm9XeDZBWjF3M091SUU3MXJOMXJFZ1hnQ2szQk1VQVpna2dNNVArRm8reEV
5VGFuUnN5MTBwRk1RV0RteXNOQlh5dmgwd29mMnJPSllGVDBaQUhKRUw1OVdYYlJlWUNZcWhrZFFj
ZXlIak1IcGZsRGh0Qy9HR3MwU2MrZ1B4UGNsQ2pHQkV0c1FYbGJuTktFYmggcm9idGVzdC5rZXkgI
A==