Ftp – ProFTPD pub key authentication, still asks for password

I experienced this, and it was caused by what looks like a bug in ssh-keygen that manifests when you convert the ssh-rsa format key into the RFC-4716 key format: the Comment header is too long.

To confirm that this is happening to you, enable the SFTPLog option in your proftpd.conf file, then in the SFTP log file you'll see lines like the following, specifically the "line too long" part:

Jul 25 19:11:25 mod_sftp/0.9.7[16355]: public key fingerprint: 77:fa:c7:d6:da:b9:99:6f:9d:5f:74:30:ba:09:4f:e9
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: line too long (74) on line 1 of '/etc/proftpd.d/authorized_keys/myusername'
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: Make sure that '/etc/proftpd.d/authorized_keys/myusername' is a RFC4716 formatted key
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: error base64-decoding key data in '/etc/proftpd.d/authorized_keys/myusername'
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: error comparing keys from '/etc/proftpd.d/authorized_keys/myusername': Invalid argument
Jul 25 19:11:25 mod_sftp/0.9.7[16355]: sending userauth failure; remaining userauth methods: publickey,password
Jul 25 19:11:29 mod_sftp/0.9.7[16355]: disconnecting client (received EOF)

Take a look at the offending key, and you'll see how it sticks out:

Trim that off with your text editor of choice, and key auth should start working. Using bash it looks like this, where user.pub is your key file:

cut -c 1-72 user.pub | sed '/^Comment: "[^"]*$/ s/$/"/' > user.pub

If you instead want to keep the whole comment, you'll need to escape the end of the line and put it on the next one. See the example section of RFC 4716 for how you can re-format comments.

Finally, I ran into this problem using ssh-keygen on CentOS 6.9. The version I have on Mac OS Sierra truncates the key comments properly to avoid this problem.