Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sftp key handling #39935

Merged
merged 7 commits into from
Apr 27, 2022
Merged

Sftp key handling #39935

merged 7 commits into from
Apr 27, 2022

Conversation

jvillafanez
Copy link
Member

Description

Modify public/private key behavior for SFTP storage in order to avoid exposing the private key.

The keys will always be generated in the server. The user won't be able to provide his own keys.
The public key will be handled as any "public" parameter, so no encryption or encoding will be applied to this parameter.
For the private key, an opaque token will be sent instead of the actual key. For the user's perspective, this token needs to be sent as private key. The actual private key will be kept in ownCloud and it will be encrypted.

Since the parameters for the storage are different, a migration is provided to convert the old parameters to the new format.

Related Issue

https://github.com/owncloud/enterprise/issues/5036

Motivation and Context

Private key shouldn't be exposed in any way.

How Has This Been Tested?

  • test environment:
  • test case 1:
  • test case 2:
  • ...

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Database schema changes (next release will require increase of minor version instead of patch)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:
  • Changelog item, see TEMPLATE

@update-docs
Copy link

update-docs bot commented Mar 31, 2022

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@ownclouders
Copy link
Contributor

💥 Acceptance tests pipeline apiTranslation-mariadb10.2-php7.4 failed. The build has been cancelled.

https://drone.owncloud.com/owncloud/core/35148/82

@jvillafanez
Copy link
Member Author

@C0rby could you check if the approach is good enough from a secure point of view?

@C0rby
Copy link
Contributor

C0rby commented Apr 11, 2022

@C0rby could you check if the approach is good enough from a secure point of view?

Security wise these changes look good.

There are some other things I want to change though but not in this pull request. Let's do that afterwards.
What I just saw was that the parameters for generating the RSA keypair are not up to todays standards.

@sonarcloud
Copy link

sonarcloud bot commented Apr 25, 2022

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 2 Code Smells

24.7% 24.7% Coverage
10.3% 10.3% Duplication

@jvillafanez jvillafanez merged commit 8cffbdd into master Apr 27, 2022
@delete-merged-branch delete-merged-branch bot deleted the sftp_key_handling branch April 27, 2022 06:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants