SFTP Gateway Support

3.0

SFTP Gateway 2.0 Multiple SSH Keys per User

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

Background

You can add multiple SSH keys to the same SFTP user. This is not supported in the web interface, so you'll have to do this manually at the command line.

Create the addkey.ldif file

Create a temporary file that contains the LDAP change you wish to make.

Create this file with this command:

touch /tmp/addkey.ldif

And add the following contents:

dn: uid=robtest,ou=People,dc=sftpgateway,dc=com
changeType: modify
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3Nz2EAAAADAQABAAA...CAQCfghj34eYeQ==

Make sure that you replace robtest and ssh-rsa AAAAB3Nz2EAAAADAQABAAA...CAQCfghj34eYeQ== with your own values.

Note: Do not include any trailing spaces after the sshPublicKey value.

Run the ldapmodify command

Execute the ldapmodify command and supply the ldif file you created in the previous step.

First, get the LDAP password, and save it to a variable:

ldappassword=$(sudo grep ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2-)

Next, use this password along with the ldapmodify command to execute the addkey.ldif file you created earlier.

ldapmodify -D cn=admin -w $ldappassword -f /tmp/addkey.ldif

Verify that multiple public keys are assigned

To test that both key are stored and retrieved properly run the command sudo sshldap <username>, this should print both keys to the console each on their own line.

Troubleshooting

If you're not able to connect via SFTP with the new SSH key pair, there are a couple of things you can check.

Run the following command:

sshldap.sh robtest

You should see two public keys:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3/RV6jloApIKs7rbO898Ktc7tdo6TCaPqQwfOKqTqR4cjRAz7b0EpSQO7s21kqKnbgBOn7wtCsVNUNaGQw5SmHSL75oR1+I8hAVG5zh2PDp5853mHffhiCErf1KZwId9BeGkQhvEb/KGX+rdB8atxitdMT0DGy3mRr6UawTovm+bHDJclY+XYaxckI7Q0h1VhgwU3bomIsd/9kDaqr6v1jADlDKyE/H5309hloZHAVazB8wSROUffoXT26UHBZoqh55b1MgXqYMhw2XNWzvyhWW4DCgK0UFftMQqCZsd3m38GopHY/dtkYpJPExBo2Ig5hjQBRS+9RWapvR+B74u5 sftpgw@rob-testing-multiple-pub-ssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCiK/y9H4Nv3w8QrMoPIL8znaV0rsDB6MabLU3uG5qckpV9vTzvvUEc0gT/DGBoIl1hTB2uOQdIcapQoowI8rpImg3ePy+HBz2EUwUyU9//BhmO1WCis9IRpclh0mK6mUJqWagZuFABWCBVyzcEAUldX+rJV9IPVoDsxF/bZN7GJpPMRkV6b6iDhnfxVkXzymei1roWx6AZ1w3OuIE71rN1rEgXgCk3BMUAZgkgM5P+Fo+xEyTanRsy10pFMQWDmysNBXyvh0wof2rOJYFT0ZAHJEL59WXbReYCYqhkdQceyHjMHpflDhtC/GGs0Sc+gPxPclCjGBEtsQXlbnNKEbh robtest.key

If the format of your output looks different, the next step is to check the user object in LDAP.

The SFTP user should have two sshPublicKey properties in LDAP -- one for each SSH public key.

Run the following command (replacing the value of robtest):

ldapsearch -D cn=admin -w $ldappassword -b uid=robtest,ou=People,dc=sftpgateway,dc=com

You should see two properties named sshPublicKey:

# robtest, People, sftpgateway.com
dn: uid=robtest,ou=People,dc=sftpgateway,dc=com
encryptionOption: 1
objectClass: account
objectClass: posixAccount
objectClass: sftpUser
objectClass: top
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3/RV6jloApIKs7rbO898Ktc7t
 do6TCaPqQwfOKqTqR4cjRAz7b0EpSQO7s21kqKnbgBOn7wtCsVNUNaGQw5SmHSL75oR1+I8hAVG5z
 h2PDp5853mHffhiCErf1KZwId9BeGkQhvEb/KGX+rdB8atxitdMT0DGy3mRr6UawTovm+bHDJclY+
 XYaxckI7Q0h1VhgwU3bomIsd/9kDaqr6v1jADlDKyE/H5309hloZHAVazB8wSROUffoXT26UHBZoq
 h55b1MgXqYMhw2XNWzvyhWW4DCgK0UFftMQqCZsd3m38GopHY/dtkYpJPExBo2Ig5hjQBRS+9RWap
 vR+B74u5 sftpgw@rob-testing-multiple-pub-ssh
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCiK/y9H4Nv3w8QrMoPIL8znaV
 0rsDB6MabLU3uG5qckpV9vTzvvUEc0gT/DGBoIl1hTB2uOQdIcapQoowI8rpImg3ePy+HBz2EUwUy
 U9//BhmO1WCis9IRpclh0mK6mUJqWagZuFABWCBVyzcEAUldX+rJV9IPVoDsxF/bZN7GJpPMRkV6b
 6iDhnfxVkXzymei1roWx6AZ1w3OuIE71rN1rEgXgCk3BMUAZgkgM5P+Fo+xEyTanRsy10pFMQWDmy
 sNBXyvh0wof2rOJYFT0ZAHJEL59WXbReYCYqhkdQceyHjMHpflDhtC/GGs0Sc+gPxPclCjGBEtsQX
 lbnNKEbh robtest.key
uid: robtest
homeDirectory: /home/robtest
cn: robtest
uidNumber: 100002
gidNumber: 100002

Each public key should have three fields (separated by spaces):

  1. The string ssh-rsa
  2. The contents of the public key
  3. An optional comment

Note: If you accidentally included trailing spaces in the LDIF file, the sshPublicKey value will become corrupt like this:

sshPublicKey:: c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEQ2lLL3k5SDR
 OdjN3OFFyTW9QSUw4em5hVjByc0RCNk1hYkxVM3VHNXFja3BWOXZUenZ2VUVjMGdUL0RHQm9JbDFo
 VEIydU9RZEljYXBRb293SThycEltZzNlUHkrSEJ6MkVVd1V5VTkvL0JobU8xV0NpczlJUnBjbGgwb
 Us2bVVKcVdhZ1p1RkFCV0NCVnl6Y0VBVWxkWCtySlY5SVBWb0RzeEYvYlpON0dKcFBNUmtWNmI2aU
 RobmZ4VmtYenltZWkxcm9XeDZBWjF3M091SUU3MXJOMXJFZ1hnQ2szQk1VQVpna2dNNVArRm8reEV
 5VGFuUnN5MTBwRk1RV0RteXNOQlh5dmgwd29mMnJPSllGVDBaQUhKRUw1OVdYYlJlWUNZcWhrZFFj
 ZXlIak1IcGZsRGh0Qy9HR3MwU2MrZ1B4UGNsQ2pHQkV0c1FYbGJuTktFYmggcm9idGVzdC5rZXkgI
 A==
PreviousSFTP Gateway 2.0 Allow Users to Delete from Downloads