FTP/SFTP key based authentication #17585

andy812 · 2023-07-06T12:28:31Z

andy812
Jul 6, 2023

MinIO with FTP/SFTP features is a good replacement for standard FTP/SFTP server. But in many cases we should authenticaticate users (local users and Active Directory accounts) using their private keys. Is it possible to add FTP/SFTP key based authentication in MinIO for full-featured replacement of standard FTP/SFTP server?

harshavardhana · 2023-07-06T15:46:57Z

harshavardhana
Jul 6, 2023
Maintainer

Please provide more details on how you use it today @andy812 we are no FTP/SFTP experts here.

0 replies

jmlagace · 2023-07-06T17:36:53Z

jmlagace
Jul 6, 2023

I have a use case that might cover @andy812 need.

For a client I work on we have to provide an SFTP end point to a third party so they can push, unattended, CSVs and PDFs to our infrastructure.

The third party is much bigger than we are so they are providing their standard operating process.

We have to provide them:

the SFTP address and port
the user which they will connect with
the path where they will deposit the files

and they provided us: the public key they will be authenticating with so we can associate that key to the user.

Why a public key instead of a password?

Because their standard operating process uses SSH public key authentication when doing unattended file transfer (something I assume is very common).

For me, the decision on this topic, will determine if we can use Min.io for that project or use another platform.

3 replies

klauspost Jul 7, 2023
Collaborator

If you are looking for an SFTP server, you should honestly look somewhere else.

MinIO is an S3 compatible object store. (S)FTP is a very minimal implementation to provide a way to interact with your objects from a legacy application. It has limited feature support and we don't expect to do a full implementation. Legacy FTP will probably forever be highly restricted due to how the FTP protocol operates, and some SFTP features doesn't mix well with object storage.

If you provide MinIO SFTP "as a service" your users are bound to run into these limitations. It is there as a secondary option to S3 for internal applications, not as a primary protocol.

jmlagace Jul 7, 2023

Personally I would rather the bank adopt S3 to receive and transfer files. Except they are sticking with SFTP and we have to use what they enforce.

Internally I want to use S3 for file dissemination and collection.

So we are not looking for an SFTP server. We have to provide an SFTP interface to integrate with the bank (the 3rd party).

From my own research, automated, unattended processes, prefer public key authentication over password authentication (an SSH feature, not an FTP feature).

That being said, I totally get MinIO not wanting to integrate more SSH features into the product.

klauspost Jul 7, 2023
Collaborator

@jmlagace Just wanted to make sure your expectations didn't exceed what is realistic.

We don't want separate auth mechanism, but it should be possible to create (time limited) certs that link to a user.

WzorOn · 2023-07-07T10:02:58Z

WzorOn
Jul 7, 2023

Hi
Until now, quite a lot of companies have used sftp to exchange data with external counterparties and having a certificate authorization in AD in minio would complement it very well.
In AD, the user object has the userCertificate attribute, which is multivalued and stores the certificate in X509v3 format in DER encoding.
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adls/d66d1662-0b4f-44ab-a4c8-e788f3ae39cf
https://www.ietf.org/rfc/rfc3280.txt
You already have AD password authentication, convenient policies and a web interface, could you consider implementing certificate authentication?
Thanks

0 replies

vintury · 2023-07-09T18:20:20Z

vintury
Jul 9, 2023

Hello.
I think the addition of the ssh key authentication mechanism to minio is a very good thing.
Many companies today use sftp and s3 to deliver objects. Inside the company s3 is mainly used, but when working with partners they are forced to use sftp. If minio fully supports SFTP, it will be much easier for many companies to migrate from SFTP to minio S3.
Minio has already implemented most of the functionality, it remains only to finish a little..

A separate authentication mechanism is a good idea, I'll be glad to see it in the future.

1 reply

ventaubain Sep 5, 2023

I confirm the interest for SFTP SSH key in Minio. Some Cyber Risk Management Policies can't deal with SFTP by password and need stronger guarantees. Only using password limits drastically the pool of potential clients that need to transfer data by SFTP to the outside

mskyttner · 2023-08-03T15:06:27Z

mskyttner
Aug 3, 2023

I read about the sftp server configuration here and can see the recommendation to use these options: -sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa"...

My thinking is that a remote sftp user would authenticate using their private key and the minio server would have this user's corresponding public key available? I am comparing to this containerized setup for a sftp server:

  sftp:
    image: atmoz/sftp:alpine
    ports:
      - "8022:22"
    volumes:
      - ./my-share:/home/sftpuser/my-share
      - ./sftp/login.defs:/etc/login.defs
      - ./sftp/sftpusers.conf:/etc/sftp/users.conf:ro
      - ./sftp/keys/id_rsa.pub:/home/sftpuser/.ssh/keys/id_rsa.pub:ro
      - ./sftp/keys/one_pubkey:/home/sftpuser/.ssh/keys/one_pubkey.pub:ro
      - ./sftp/keys/another_pubkey:/home/sftpuser/.ssh/keys/another_pubkey.pub:ro
      - ./sftp/keys/hostkeys/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key:ro
      - ./sftp/keys/hostkeys/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key:ro

Is the -sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa" here asking for the ssh_host_rsa_key?

And currently there is no way to make the minio sftp service aware of public ssh keys that users can authenticate against?

3 replies

nomed Oct 25, 2023

Any update on this?

i totally agree with @mskyttner

Btw… to have minio expose an sftp server without pub key auth i’m afraid can not be used on most of real cases

stove-panini Dec 14, 2023

Is the -sftp="ssh-private-key=/home/miniouser/.ssh/id_rsa" here asking for the ssh_host_rsa_key?

The documentation isn't clear about this and the example is weird, but yes, you're supplying the host key for the built-in SSH server with this argument. I've tried a few key types and verified that they can be located anywhere on the filesystem as well.

For example, --sftp="ssh-private-key=/tmp/id_ed25519" works just fine.

mskyttner Dec 19, 2023

I think I got a bit confused by the docs referring to the "user's private key file" and the key being named "ssh-private-key", when referring to the (private) host key for the sftp server (and not one of the users). If the key had been named "host-key" it would have been easier to understand perhaps.

harridu · 2023-09-19T04:21:06Z

harridu
Sep 19, 2023

I would be interested in pubkey access via SFTP as well.

0 replies

olljanat · 2024-05-09T21:04:12Z

olljanat
May 9, 2024

We don't want separate auth mechanism, but it should be possible to create (time limited) certs that link to a user.

FYI, RELEASE.2024-05-07T06-41-25Z added support for this.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FTP/SFTP key based authentication #17585

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 7 comments 7 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

FTP/SFTP key based authentication #17585

Replies: 7 comments · 7 replies

harshavardhana Jul 6, 2023 Maintainer

klauspost Jul 7, 2023 Collaborator

klauspost Jul 7, 2023 Collaborator

Replies: 7 comments 7 replies

harshavardhana
Jul 6, 2023
Maintainer

klauspost Jul 7, 2023
Collaborator

klauspost Jul 7, 2023
Collaborator