Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

SFTP using Password or SSH public key

0

I have created an SFTP server using the AWS Tranfer family. The identity provider is (The custom IDentity provider) that will use the lambda function to check with the AWS Secrets manager the password and username to log in. Now, I am looking to update the lambda function to be able to authenticate with a Password or Public key. At the secret manager, I've added a new key: (SSHPublicKeys) and defined the value of the public key, and in the Python code, I defined checking for the public key. The missing, as how to let the lambda python code compare the private key used by the user with the public key defined at the AWS Secrets manager!

Temas
Sin servidorCálculoMigración y modernizaciónSeguridad, identidad y cumplimientoAWS Well-Architected Framework
Etiquetas
AWS LambdaAWS Transfer for SFTPAWS Secrets ManagerSeguridad
Idioma
English
rePost-User-2140084
preguntada hace 7 meses866 visualizaciones
1 Respuesta
0

Hello. To allow your Lambda function to authenticate using a public key, you should compare the presented public key with the one stored in AWS Secrets Manager. However, the client/user would never send their private key. Instead, the authentication process works as follows. Code snippet how you can use a key:

import boto3
import json

def lambda_handler(event, context):
    # Your logic to get the username from the event
    username = event['username']

    # Fetch the user secret from AWS Secrets Manager
    client = boto3.client('secretsmanager')
    response = client.get_secret_value(SecretId='YOUR_SECRET_ID')
    secret = json.loads(response['SecretString'])

    # Check password if provided
    if 'password' in event:
        user_password = event['password']
        if user_password != secret.get('password'):
            # Invalid password
            return {
                'status': 'DENY'
            }

    # Check SSH public key if provided
    elif 'publicKey' in event:
        # In a real-world scenario, you'd probably have multiple keys and need to iterate over them.
        stored_public_key = secret.get('SSHPublicKeys')

        if event['publicKey'] != stored_public_key:
            # Invalid public key
            return {
                'status': 'DENY'
            }

    # If neither password nor public key is provided, or any other checks you want to implement
    else:
        return {
            'status': 'DENY'
        }

    return {
        'status': 'OK',
        'role': 'arn:aws:iam::ACCOUNT_ID:role/YOUR_SFTP_ROLE',
        'policy': 'YOUR_POLICY'
    }

Regards, Andrii

profile picture
EXPERTO
Andrii S
respondido hace 7 meses
  • Tomislav Ivanov
    hace 3 meses

    Hi, I have a similar problem but I can't acess this "public-key" field in my code. Am I doing something wrong in how my AWS Transfer family sftp server is configured ?

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante