asf-tooling opened a new issue, #951:
URL: https://github.com/apache/tooling-trusted-releases/issues/951
**ASVS Level(s):** [L1]
**Description:**
### Summary
SSH authentication paths (both persistent keys in `begin_auth()` and GitHub
workflow keys in `validate_public_key()`) do not check LDAP account status
using `ldap.is_active()` before allowing authentication. The control exists in
`atr/ldap.py` and is properly used in web/JWT authentication paths, but is
never called during SSH authentication. This allows disabled/banned users to
retain full SSH access to artifact repositories for rsync operations
indefinitely.
### Details
**Affected Files and Lines:**
- `atr/ssh.py:90-118` - begin_auth() without account status check
- `atr/ssh.py:124-148` - validate_public_key() without account status check
This is a Type B vulnerability where the control exists but is not called in
critical paths. Disabled users can continue using SSH access even after their
accounts have been disabled in LDAP, bypassing access control entirely.
### Recommended Remediation
Add `ldap.is_active()` checks in both SSH authentication paths:
```python
# atr/ssh.py - begin_auth() for persistent keys (after line 99)
if not self._ldap.is_active(username):
log.failed_authentication('ssh_account_disabled', extra={'username':
username})
raise asyncssh.PermissionDenied('Account disabled')
# atr/ssh.py - validate_public_key() for workflow keys (after line 107)
if not self._ldap.is_active(username):
log.failed_authentication('ssh_workflow_account_disabled',
extra={'username': username})
return False
# Defense-in-depth: Add revalidation in _step_02_handle_safely() (after line
148)
if not self._ldap.is_active(self._github_asf_uid):
log.failed_authentication('ssh_account_disabled_during_operation')
raise asyncssh.BreakReceived('Account disabled')
```
### Acceptance Criteria
- [ ] Account status check added to begin_auth()
- [ ] Account status check added to validate_public_key()
- [ ] Defense-in-depth check added to operation handler
- [ ] Failed authentication logging implemented
- [ ] Integration test verifying disabled accounts cannot SSH
- [ ] Unit test verifying the fix
### References
- Source reports: L1:7.4.2.md
- Related findings: FINDING-129
- ASVS sections: 7.4.2
### Priority
Critical
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
