Skip to content

[IMP] storage_backend_sftp: add security and compatibility options#554

Open
IJOL wants to merge 1 commit intoOCA:16.0from
BITVAX:16.0-add-sftp-security-options
Open

[IMP] storage_backend_sftp: add security and compatibility options#554
IJOL wants to merge 1 commit intoOCA:16.0from
BITVAX:16.0-add-sftp-security-options

Conversation

@IJOL
Copy link

@IJOL IJOL commented Feb 4, 2026

Summary

This PR adds security and compatibility improvements to the SFTP storage backend:

  • Legacy algorithm support: New sftp_legacy_algorithms field enables ssh-rsa for older SFTP servers (like bank servers) that don't support modern key exchange algorithms
  • Host key verification: New sftp_verify_hostkey and sftp_hostkey fields allow verifying the server's host key to prevent MITM attacks
  • Flexible key input: Key fields now accept file paths (e.g., ~/.ssh/id_rsa) in addition to direct content, plus bytes and file-like objects

New fields

Field Type Description
sftp_legacy_algorithms Boolean Enable ssh-rsa for legacy servers
sftp_verify_hostkey Boolean Enable host key verification
sftp_hostkey Text Server host key (content or path to known_hosts)

Key input formats supported

  • Direct content: -----BEGIN RSA PRIVATE KEY-----...
  • File path: ~/.ssh/id_rsa or /path/to/key
  • Bytes: b'-----BEGIN...'
  • File object: open('key.pem')

Test plan

  • Create SFTP backend with legacy algorithm enabled
  • Test connection to server requiring ssh-rsa
  • Create SFTP backend with host key verification enabled
  • Test connection with correct host key
  • Test connection with incorrect host key (should fail)
  • Test using file path for private key instead of content

@IJOL
[IMP] storage_backend_sftp: add security and compatibility options
8aa8cca 
Add several improvements to the SFTP storage backend:

Security:
- Add optional host key verification to prevent MITM attacks
- Support for known_hosts file format or direct key content

Compatibility:
- Add legacy SSH algorithms support for older servers (banks, etc.)
- Disable rsa-sha2-256/512 to force ssh-rsa signing when needed
- Force ssh-rsa key type priority for legacy servers

Usability:
- Accept file paths (~/..., /path/to) in addition to key content
- Support bytes and file-like objects for key inputs
- Normalize all key inputs through a common helper function

Debugging:
- Add optional verbose logging field for detailed diagnostics
- Log server version, ciphers, and key fingerprints when enabled
- Show accepted auth methods on authentication failure
- Separate key exchange from authentication for better error reporting
@IJOL IJOL force-pushed the 16.0-add-sftp-security-options branch from 1400f05 to 8aa8cca Compare February 4, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@IJOL