[Proftpd-user] Use of public key authentication ignores account expiration policies?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

Use of public key authentication ignores account expiration policies? How to deal with it?

I have a server running ProFTPD with mod_sftp enabled. 

For security reasons, all accounts have an expiration date. And this policy has worked pretty well until I need to configure one of the accounts to authenticate via public key.

It was then that while testing, I discovered that public key authentication completely ignores the expiration or locking of accounts, ensuring access until the public key is manually removed.

Here I also use mod_sftp_pam, since the accounts are in Active Directory, but in a testing environment, I noticed that the problem also occurs with local accounts and the mod_auth_unix module. In this case the module mod_sftp_pam is disabled.

When doing the same tests with openSSH, I realized that it handles the account state before starting the public key authentication step. If the account is expired or disabled, openSSH declines the access, even with a valid public key. Both for local accounts (UsePAM=no) and Active Directory accounts (UsePAM=yes).

I think this can also be a security problem, since it is not uncommon to use expiration or account lockout as an access policy.

This can be easily reproduced (Tested on ProFTPD 1.3.5a-1build1 from ubuntu 16.04 xenial (apt-get) and ProFTPD 1.3.7rc1 from git (cloned today).):

1. Create a local user, test password autentication and expire his account:

root@ftpservertest:~/proftpd-master# usermod -e "2017-01-01" ftpusertest
2. Try to authenticate via password (without a public key set for this user) then you get this result:

root@ftpservertest:~/proftpd-master# proftpd -n -c /etc/proftpd/proftpd.conf2017-07-03 12:03:57,776 ftpservertest proftpd[22068]: processing configuration directory '/etc/proftpd/conf.d/'
2017-07-03 12:03:58,238 ftpservertest proftpd[22068] 127.0.1.1: ProFTPD 1.3.7rc1 (git) (built Seg Jul 3 2017 11:58:16 BRT) standalone mode STARTUP
2017-07-03 12:04:53,199 ftpservertest proftpd[22084] 0.0.0.0 (10.0.0.3[10.0.0.3]): SSH2 session opened.
2017-07-03 12:04:53,272 ftpservertest proftpd[22084] 0.0.0.0 (10.0.0.3[10.0.0.3]): USER ftpusertest (Login failed): authentication via 'ssh-rsa' public key failed
2017-07-03 12:04:53,273 ftpservertest proftpd[22084] 0.0.0.0 (10.0.0.3[10.0.0.3]): USER ftpusertest (Login failed): keyboard-interactive authentication disabled
2017-07-03 12:04:55,380 ftpservertest proftpd[22084] 0.0.0.0 (10.0.0.3[10.0.0.3]): USER ftpusertest (Login failed): Account disabled

3. Enable the public key, then the result will be this (Access allowed):

2017-07-03 12:05:52,686 ftpservertest proftpd[22092] 0.0.0.0 (10.0.0.3[10.0.0.3]): SSH2 session opened.2017-07-03 12:05:52,755 ftpservertest proftpd[22092] 0.0.0.0 (10.0.0.3[10.0.0.3]): USER ftpusertest: Login successful
2017-07-03 12:05:52,755 ftpservertest proftpd[22092] 0.0.0.0 (10.0.0.3[10.0.0.3]): USER ftpusertest: Login successful.

4. If in openSSH with public key:

Jul  3 14:45:45 ftpservertest sshd[12895]: Account ftpusertest has expired

My confs:

#file: /etc/proftpd/proftpd.conf

Include /etc/proftpd/modules.conf
UseIPv6                on
UseReverseDNS            off
ServerName            "Debian"
ServerType            standalone
DeferWelcome            off
MultilineRFC2228        on
DefaultServer            on
ShowSymlinks            on
TimeoutNoTransfer        600
TimeoutStalled            600
TimeoutIdle            1200
DisplayLogin                    welcome.msg
DisplayChdir                   .message true
ListOptions                    "-l"
DenyFilter            \*.*/
Port                0
PassivePorts                  49152 65534
<IfModule mod_dynmasq.c>
</IfModule>
MaxInstances            30
User                proftpd
Group                nogroup
Umask                022  022
AllowOverwrite            on
TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log
UseLastlog on
SetEnv TZ :/etc/localtime
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
Include /etc/proftpd/conf.d/

#file: /etc/proftpd/conf.d/sftp.conf

<IfModule mod_sftp.c>
    <VirtualHost 0.0.0.0>
        <IfModule mod_sftp_pam.c>
            SFTPPAMEngine off
            SFTPPAMServiceName sftp
        </IfModule>
            SFTPEngine on
            Port 22
            SFTPLog /var/log/proftpd/sftp.log
        AuthOrder mod_sftp_pam.c* mod_auth_unix.c
        SFTPOptions IgnoreSCPUploadPerms IgnoreSFTPUploadPerms
        <Limit LOGIN>
            AllowUser OR andrey,ftpusertest
            DenyAll
        </Limit>
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key
        SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
        SFTPAuthorizedUserKeys file:~/.sftp/authorized_keys
        SFTPAuthMethods publickey keyboard-interactive password
            SFTPCompression delayed
    </VirtualHost>
</IfModule>
Thanks for reading here. Any help will be appreciated.

--Andrey de OliveiraLPIC-2: Linux Engineer