SFTP Gateway Support

2.001.00

Azure Security Alert - echo authorized keys

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

Overview

In the Azure Portal, you may receive a security alert regarding the authorized keys file. The VM is running the echo command on a public key, and the security alert is asking you to verify if this is legitimate activity.

This is normal behavior for SFTP Gateway, and you can ignore this security alert. During the SFTP authentication process, SFTP Gateway provides OpenSSH with the user's public key via the echo command. No new keys are being inserted into the authorized_keys file.

Description of the security alert

You may receive a security alert with the following text.

New SSH key was added to the authorized keys file
This behavior was seen 6 times today on the following machines

Check that the SSH key identified in the alert was a legitimate activity that you expect to see on this host or device. If not, escalate the alert to the information security team.

User Name: sftpgw
Suspicious Process: /usr/bin/echo
Suspicious Command Line: 
echo ssh-rsa AAAAB3NzaC1yc2E...xyz== robtest.key

This alert may seem alarming at first, because it says:

New SSH key was added to the authorized keys file

Look at the details of the security alert, and note the exact command used (i.e. Suspicious Command Line). In the example above, the public key is just being echo'd, and nothing is being added to the authorized keys file.

Default Behavior of SFTP Gateway

Normally, Linux users are stored in files (e.g. /etc/passwd). And their public keys are stored in:

/home/<user>/.ssh/authorized_keys

SFTP Gateway uses an LDAP database to store the SFTP users. And instead of storing the public key in the authorized_keys file, they are stored as a property on the user object in the LDAP database.

OpenSSH, which is the default SSH/SFTP implementation on Linux, normally looks for the user's public key in their authorized_keys file.

So in order to supply the public key for the user, we tell OpenSSH (via sshd_config) to run a custom bash script to retrieve the user's public key from LDAP:

AuthorizedKeysCommand /usr/local/bin/sshldap
AuthorizedKeysCommandUser sftpgw

You can manually verify this, but running the command:

sshldap robtest

This should output the public key for the user.

Since Bash is a scripting language, it sends messages using the echo command. So, the sshldap command returns the public key via the echo command:

echo ssh-rsa AAAAB3NzaC1yc2E...xyz== robtest.key

Unfortunately, this triggers an Azure security alert that checks for the echoing of public keys.

Since the alert is not sure about the intent behind echoing the public key, it's asking you to investigate.

Error: Bad ownership or modesConvert SSH2 Public Key to OpenSSH format