From 7b239ae1544cd8c8b4cd510a7cf6bbfd53f37bfb Mon Sep 17 00:00:00 2001 From: Anis Eleuch Date: Tue, 20 Aug 2024 21:00:29 +0100 Subject: [PATCH] sftp: Fix operations with a internal service account (#20293) sftp sends local requests to the S3 port while passing the session token header when the account corresponds to a service account. However, this is not permitted and will throw an error: "The security token included in the request is invalid" This commit will avoid passing the session token to the upper layer that initializes MinIO client to avoid this error. --- cmd/sftp-server.go | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/cmd/sftp-server.go b/cmd/sftp-server.go index aef9817c8..95a1482a9 100644 --- a/cmd/sftp-server.go +++ b/cmd/sftp-server.go @@ -162,31 +162,32 @@ internalAuth: } if caPublicKey != nil && pass == nil { - err := validateKey(c, key) if err != nil { return nil, errAuthentication } - } else { - // Temporary credentials are not allowed. if ui.Credentials.IsTemp() { return nil, errAuthentication } - if subtle.ConstantTimeCompare([]byte(ui.Credentials.SecretKey), pass) != 1 { return nil, errAuthentication } + + } + + copts := map[string]string{ + "AccessKey": ui.Credentials.AccessKey, + "SecretKey": ui.Credentials.SecretKey, + } + if ui.Credentials.IsTemp() { + copts["SessionToken"] = ui.Credentials.SessionToken } return &ssh.Permissions{ - CriticalOptions: map[string]string{ - "AccessKey": ui.Credentials.AccessKey, - "SecretKey": ui.Credentials.SecretKey, - "SessionToken": ui.Credentials.SessionToken, - }, - Extensions: make(map[string]string), + CriticalOptions: copts, + Extensions: make(map[string]string), }, nil } @@ -207,9 +208,8 @@ func processLDAPAuthentication(key ssh.PublicKey, pass []byte, user string) (per return &ssh.Permissions{ CriticalOptions: map[string]string{ - "AccessKey": sa.Credentials.AccessKey, - "SecretKey": sa.Credentials.SecretKey, - "SessionToken": sa.Credentials.SessionToken, + "AccessKey": sa.Credentials.AccessKey, + "SecretKey": sa.Credentials.SecretKey, }, Extensions: make(map[string]string), }, nil