mirror of
https://github.com/minio/minio.git
synced 2025-01-26 06:03:17 -05:00
sftp: Fix operations with a internal service account (#20293)
sftp sends local requests to the S3 port while passing the session token header when the account corresponds to a service account. However, this is not permitted and will throw an error: "The security token included in the request is invalid" This commit will avoid passing the session token to the upper layer that initializes MinIO client to avoid this error.
This commit is contained in:
parent
8a11282522
commit
7b239ae154
@ -162,30 +162,31 @@ internalAuth:
|
|||||||
}
|
}
|
||||||
|
|
||||||
if caPublicKey != nil && pass == nil {
|
if caPublicKey != nil && pass == nil {
|
||||||
|
|
||||||
err := validateKey(c, key)
|
err := validateKey(c, key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errAuthentication
|
return nil, errAuthentication
|
||||||
}
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
// Temporary credentials are not allowed.
|
// Temporary credentials are not allowed.
|
||||||
if ui.Credentials.IsTemp() {
|
if ui.Credentials.IsTemp() {
|
||||||
return nil, errAuthentication
|
return nil, errAuthentication
|
||||||
}
|
}
|
||||||
|
|
||||||
if subtle.ConstantTimeCompare([]byte(ui.Credentials.SecretKey), pass) != 1 {
|
if subtle.ConstantTimeCompare([]byte(ui.Credentials.SecretKey), pass) != 1 {
|
||||||
return nil, errAuthentication
|
return nil, errAuthentication
|
||||||
}
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
copts := map[string]string{
|
||||||
|
"AccessKey": ui.Credentials.AccessKey,
|
||||||
|
"SecretKey": ui.Credentials.SecretKey,
|
||||||
|
}
|
||||||
|
if ui.Credentials.IsTemp() {
|
||||||
|
copts["SessionToken"] = ui.Credentials.SessionToken
|
||||||
}
|
}
|
||||||
|
|
||||||
return &ssh.Permissions{
|
return &ssh.Permissions{
|
||||||
CriticalOptions: map[string]string{
|
CriticalOptions: copts,
|
||||||
"AccessKey": ui.Credentials.AccessKey,
|
|
||||||
"SecretKey": ui.Credentials.SecretKey,
|
|
||||||
"SessionToken": ui.Credentials.SessionToken,
|
|
||||||
},
|
|
||||||
Extensions: make(map[string]string),
|
Extensions: make(map[string]string),
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
@ -209,7 +210,6 @@ func processLDAPAuthentication(key ssh.PublicKey, pass []byte, user string) (per
|
|||||||
CriticalOptions: map[string]string{
|
CriticalOptions: map[string]string{
|
||||||
"AccessKey": sa.Credentials.AccessKey,
|
"AccessKey": sa.Credentials.AccessKey,
|
||||||
"SecretKey": sa.Credentials.SecretKey,
|
"SecretKey": sa.Credentials.SecretKey,
|
||||||
"SessionToken": sa.Credentials.SessionToken,
|
|
||||||
},
|
},
|
||||||
Extensions: make(map[string]string),
|
Extensions: make(map[string]string),
|
||||||
}, nil
|
}, nil
|
||||||
|
Loading…
x
Reference in New Issue
Block a user