sftpgo-mirror/docs/external-auth.md

# External Authentication

To enable external authentication, you must set the absolute path of your authentication program or an HTTP URL using the `external_auth_hook` key in your configuration file.

The external program can read the following environment variables to get info about the user trying to authenticate:

- `SFTPGO_AUTHD_USERNAME`
- `SFTPGO_AUTHD_USER`, STPGo user serialized as JSON, empty if the user does not exist within the data provider
- `SFTPGO_AUTHD_IP`
- `SFTPGO_AUTHD_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`
- `SFTPGO_AUTHD_PASSWORD`, not empty for password authentication
- `SFTPGO_AUTHD_PUBLIC_KEY`, not empty for public key authentication
- `SFTPGO_AUTHD_KEYBOARD_INTERACTIVE`, not empty for keyboard interactive authentication
- `SFTPGO_AUTHD_TLS_CERT`, TLS client certificate PEM encoded. Not empty for TLS certificate authentication

Previous global environment variables aren't cleared when the script is called. The content of these variables is _not_ quoted. They may contain special characters. They are under the control of a possibly malicious remote user.
The program can inspect the SFTPGo user, if it exists, using the `SFTPGO_AUTHD_USER` environment variable.
The program must write, on its standard output:

- a valid SFTPGo user serialized as JSON if the authentication succeeds. The user will be added/updated within the defined data provider
- an empty string, or no response at all, if authentication succeeds and the existing SFTPGo user does not need to be updated
- a user with an empty username if the authentication fails

If the hook is an HTTP URL then it will be invoked as HTTP POST. The request body will contain a JSON serialized struct with the following fields:

- `username`
- `ip`
- `user`, STPGo user serialized as JSON, omitted if the user does not exist within the data provider
- `protocol`, possible values are `SSH`, `FTP`, `DAV`
- `password`, not empty for password authentication
- `public_key`, not empty for public key authentication
- `keyboard_interactive`, not empty for keyboard interactive authentication
- `tls_cert`, TLS client certificate PEM encoded. Not empty for TLS certificate authentication

If authentication succeeds the HTTP response code must be 200 and the response body can be:

- a valid SFTPGo user serialized as JSON. The user will be added/updated within the defined data provider
- empty, the existing SFTPGo user does not need to be updated

If the authentication fails the HTTP response code must be != 200.

Actions defined for users added/updated will not be executed in this case and an already logged in user with the same username will not be disconnected.

The program hook must finish within 30 seconds, the HTTP hook timeout will use the global configuration for HTTP clients.

This method is slower than built-in authentication, but it's very flexible as anyone can easily write his own authentication hooks.
You can also restrict the authentication scope for the hook using the `external_auth_scope` configuration key:

- `0` means all supported authentication scopes. The external hook will be used for password, public key, keyboard interactive and TLS certificate authentication
- `1` means passwords only
- `2` means public keys only
- `4` means keyboard interactive only
- `8` means TLS certificate only

You can combine the scopes. For example, 3 means password and public key, 5 means password and keyboard interactive, and so on.

Let's see a very basic example. Our sample authentication program will only accept user `test_user` with any password or public key.

```shell
#!/bin/sh

if test "$SFTPGO_AUTHD_USERNAME" = "test_user"; then
  echo '{"status":1,"username":"test_user","expiration_date":0,"home_dir":"/tmp/test_user","uid":0,"gid":0,"max_sessions":0,"quota_size":0,"quota_files":100000,"permissions":{"/":["*"],"/somedir":["list","download"]},"upload_bandwidth":0,"download_bandwidth":0,"filters":{"allowed_ip":[],"denied_ip":[]},"public_keys":[]}'
else
  echo '{"username":""}'
fi
```

The structure for SFTPGo users can be found within the [OpenAPI schema](../httpd/schema/openapi.yaml).

An example authentication program allowing to authenticate against an LDAP server can be found inside the source tree [ldapauth](../examples/ldapauth) directory.

An example server, to use as HTTP authentication hook, allowing to authenticate against an LDAP server can be found inside the source tree [ldapauthserver](../examples/ldapauthserver) directory.

If you have an external authentication hook that could be useful to others too, please let us know and/or please send a pull request.
Refactor docs 2020-03-04 22:10:58 +00:00			`# External Authentication`

add HTTP hooks external auth, pre-login user modification and keyboard interactive authentication is now supported via HTTP requests too 2020-04-01 21:25:23 +00:00			To enable external authentication, you must set the absolute path of your authentication program or an HTTP URL using the `external_auth_hook` key in your configuration file.
Refactor docs 2020-03-04 22:10:58 +00:00
			`The external program can read the following environment variables to get info about the user trying to authenticate:`

			- `SFTPGO_AUTHD_USERNAME`
external auth: allow to inspect and preserve an existing user 2021-03-26 14:19:01 +00:00			- `SFTPGO_AUTHD_USER`, STPGo user serialized as JSON, empty if the user does not exist within the data provider
Add client IP address to external auth, pre-login and keyboard interactive hooks 2020-08-04 16:03:28 +00:00			- `SFTPGO_AUTHD_IP`
add post-login hook a login scope is supported too so you can get notifications for failed logins, successful logins or both 2020-08-12 14:15:12 +00:00			- `SFTPGO_AUTHD_PROTOCOL`, possible values are `SSH`, `FTP`, `DAV`
Refactor docs 2020-03-04 22:10:58 +00:00			- `SFTPGO_AUTHD_PASSWORD`, not empty for password authentication
			- `SFTPGO_AUTHD_PUBLIC_KEY`, not empty for public key authentication
			- `SFTPGO_AUTHD_KEYBOARD_INTERACTIVE`, not empty for keyboard interactive authentication
FTP: improve TLS certificate authentication For each user you can now configure: - TLS certificate auth - TLS certificate auth and password - Password auth For TLS auth, the certificate common name must match the name provided using the "USER" FTP command 2021-02-28 11:10:40 +00:00			- `SFTPGO_AUTHD_TLS_CERT`, TLS client certificate PEM encoded. Not empty for TLS certificate authentication
Refactor docs 2020-03-04 22:10:58 +00:00
			`Previous global environment variables aren't cleared when the script is called. The content of these variables is _not_ quoted. They may contain special characters. They are under the control of a possibly malicious remote user.`
external auth: allow to inspect and preserve an existing user 2021-03-26 14:19:01 +00:00			The program can inspect the SFTPGo user, if it exists, using the `SFTPGO_AUTHD_USER` environment variable.
			`The program must write, on its standard output:`

			`- a valid SFTPGo user serialized as JSON if the authentication succeeds. The user will be added/updated within the defined data provider`
			`- an empty string, or no response at all, if authentication succeeds and the existing SFTPGo user does not need to be updated`
			`- a user with an empty username if the authentication fails`
add HTTP hooks external auth, pre-login user modification and keyboard interactive authentication is now supported via HTTP requests too 2020-04-01 21:25:23 +00:00
			`If the hook is an HTTP URL then it will be invoked as HTTP POST. The request body will contain a JSON serialized struct with the following fields:`

			- `username`
Add client IP address to external auth, pre-login and keyboard interactive hooks 2020-08-04 16:03:28 +00:00			- `ip`
external auth: allow to inspect and preserve an existing user 2021-03-26 14:19:01 +00:00			- `user`, STPGo user serialized as JSON, omitted if the user does not exist within the data provider
add post-login hook a login scope is supported too so you can get notifications for failed logins, successful logins or both 2020-08-12 14:15:12 +00:00			- `protocol`, possible values are `SSH`, `FTP`, `DAV`
add HTTP hooks external auth, pre-login user modification and keyboard interactive authentication is now supported via HTTP requests too 2020-04-01 21:25:23 +00:00			- `password`, not empty for password authentication
			- `public_key`, not empty for public key authentication
			- `keyboard_interactive`, not empty for keyboard interactive authentication
FTP: improve TLS certificate authentication For each user you can now configure: - TLS certificate auth - TLS certificate auth and password - Password auth For TLS auth, the certificate common name must match the name provided using the "USER" FTP command 2021-02-28 11:10:40 +00:00			- `tls_cert`, TLS client certificate PEM encoded. Not empty for TLS certificate authentication
add HTTP hooks external auth, pre-login user modification and keyboard interactive authentication is now supported via HTTP requests too 2020-04-01 21:25:23 +00:00
external auth: allow to inspect and preserve an existing user 2021-03-26 14:19:01 +00:00			`If authentication succeeds the HTTP response code must be 200 and the response body can be:`

			`- a valid SFTPGo user serialized as JSON. The user will be added/updated within the defined data provider`
			`- empty, the existing SFTPGo user does not need to be updated`

			`If the authentication fails the HTTP response code must be != 200.`
add HTTP hooks external auth, pre-login user modification and keyboard interactive authentication is now supported via HTTP requests too 2020-04-01 21:25:23 +00:00
external auth: allow to inspect and preserve an existing user 2021-03-26 14:19:01 +00:00			`Actions defined for users added/updated will not be executed in this case and an already logged in user with the same username will not be disconnected.`
CI: use go 1.15 by default now that it is released 2020-08-12 14:42:38 +00:00
add a new configuration section for HTTP clients HTTP clients are used for executing hooks such as the ones used for custom actions, external authentication and pre-login user modifications. This allows, for example, to use self-signed certificate without defeating the purpose of using TLS 2020-04-26 21:29:09 +00:00			`The program hook must finish within 30 seconds, the HTTP hook timeout will use the global configuration for HTTP clients.`
add HTTP hooks external auth, pre-login user modification and keyboard interactive authentication is now supported via HTTP requests too 2020-04-01 21:25:23 +00:00
			`This method is slower than built-in authentication, but it's very flexible as anyone can easily write his own authentication hooks.`
			You can also restrict the authentication scope for the hook using the `external_auth_scope` configuration key:
Refactor docs 2020-03-04 22:10:58 +00:00
FTP: improve TLS certificate authentication For each user you can now configure: - TLS certificate auth - TLS certificate auth and password - Password auth For TLS auth, the certificate common name must match the name provided using the "USER" FTP command 2021-02-28 11:10:40 +00:00			- `0` means all supported authentication scopes. The external hook will be used for password, public key, keyboard interactive and TLS certificate authentication
add check password hook its main use case is to allow to easily support things like password+OTP for protocols without keyboard interactive support such as FTP and WebDAV 2020-08-19 17:36:12 +00:00			- `1` means passwords only
			- `2` means public keys only
			- `4` means keyboard interactive only
FTP: improve TLS certificate authentication For each user you can now configure: - TLS certificate auth - TLS certificate auth and password - Password auth For TLS auth, the certificate common name must match the name provided using the "USER" FTP command 2021-02-28 11:10:40 +00:00			- `8` means TLS certificate only
Refactor docs 2020-03-04 22:10:58 +00:00
			`You can combine the scopes. For example, 3 means password and public key, 5 means password and keyboard interactive, and so on.`

			Let's see a very basic example. Our sample authentication program will only accept user `test_user` with any password or public key.

docs: fix markdown lint warnings 2020-06-15 21:46:11 +00:00			```shell
Refactor docs 2020-03-04 22:10:58 +00:00			`#!/bin/sh`

			`if test "$SFTPGO_AUTHD_USERNAME" = "test_user"; then`
			`echo '{"status":1,"username":"test_user","expiration_date":0,"home_dir":"/tmp/test_user","uid":0,"gid":0,"max_sessions":0,"quota_size":0,"quota_files":100000,"permissions":{"/":["*"],"/somedir":["list","download"]},"upload_bandwidth":0,"download_bandwidth":0,"filters":{"allowed_ip":[],"denied_ip":[]},"public_keys":[]}'`
			`else`
			`echo '{"username":""}'`
			`fi`
			```

Add a link to the OpenAPI schema where relevant Fixes #329 2021-03-01 21:22:05 +00:00			`The structure for SFTPGo users can be found within the [OpenAPI schema](../httpd/schema/openapi.yaml).`

external auth: add example HTTP server to use as authentication hook The server authenticate against an LDAP server. 2020-04-26 12:48:32 +00:00			`An example authentication program allowing to authenticate against an LDAP server can be found inside the source tree [ldapauth](../examples/ldapauth) directory.`

			`An example server, to use as HTTP authentication hook, allowing to authenticate against an LDAP server can be found inside the source tree [ldapauthserver](../examples/ldapauthserver) directory.`
add an example auth program that allow to authenticate against LDAP External authentication is the way to go to authenticate against LDAP, at least for now. Closes #99 2020-04-11 20:30:41 +00:00
			`If you have an external authentication hook that could be useful to others too, please let us know and/or please send a pull request.`