In the Azure Portal, you may receive a security alert regarding the
authorized keys file. The VM is running the
on a public key, and the security alert is asking you to verify if this is legitimate activity.
This is normal behavior for SFTP Gateway, and you can ignore this security alert.
During the SFTP authentication process, SFTP Gateway provides OpenSSH with the user's public key
echo command. No new keys are being inserted into the
Description of the security alert
You may receive a security alert with the following text.
New SSH key was added to the authorized keys file This behavior was seen 6 times today on the following machines Check that the SSH key identified in the alert was a legitimate activity that you expect to see on this host or device. If not, escalate the alert to the information security team. User Name: sftpgw Suspicious Process: /usr/bin/echo Suspicious Command Line: echo ssh-rsa AAAAB3NzaC1yc2E...xyz== robtest.key
This alert may seem alarming at first, because it says:
New SSH key was added to the authorized keys file
Look at the details of the security alert, and note the exact command used (i.e.
Suspicious Command Line).
In the example above, the public key is just being
echo'd, and nothing is being added to the
authorized keys file.
Default Behavior of SFTP Gateway
Normally, Linux users are stored in files (e.g.
/etc/passwd). And their public keys are stored in:
SFTP Gateway uses an LDAP database to store the SFTP users.
And instead of storing the public key in the
authorized_keys file, they are stored as
a property on the user object in the LDAP database.
OpenSSH, which is the default SSH/SFTP implementation on Linux, normally looks for the user's
public key in their
So in order to supply the public key for the user, we tell OpenSSH (via
sshd_config) to run
a custom bash script to retrieve the user's public key from LDAP:
AuthorizedKeysCommand /usr/local/bin/sshldap AuthorizedKeysCommandUser sftpgw
You can manually verify this, but running the command:
This should output the public key for the user.
Since Bash is a scripting language, it sends messages using the
sshldap command returns the public key via the
echo ssh-rsa AAAAB3NzaC1yc2E...xyz== robtest.key
Unfortunately, this triggers an Azure security alert that checks for the echoing of public keys.
Since the alert is not sure about the intent behind echoing the public key, it's asking you to investigate.