Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypted key with new OpenSSH header for private keys seems to be broken #470

Closed
Soulou opened this issue Aug 26, 2019 · 7 comments · Fixed by #513
Closed

Encrypted key with new OpenSSH header for private keys seems to be broken #470

Soulou opened this issue Aug 26, 2019 · 7 comments · Fixed by #513
Assignees

Comments

@Soulou
Copy link
Member

Soulou commented Aug 26, 2019

-----BEGIN OPENSSH PRIVATE KEY-----

User wasn't able to type their passphrase, it was directly displaying an error:

Fail to connect to SSH server: Invalid SSH key or password: ssh: cannot decode encrypted private keys
@Soulou Soulou added the bug label Aug 26, 2019
@EtienneM
Copy link
Member

@EtienneM EtienneM self-assigned this Aug 29, 2019
@EtienneM
Copy link
Member

Same issue with scalingo login --ssh --ssh-identity ./test

@EtienneM
Copy link
Member

EtienneM commented Aug 29, 2019

This is kind of related to #389. Except that now the issue only arise when the key is encrypted with a passphrase. Actually the dependency we use to read private key files is golang.org/x/crypto/ssh. And it seems it is not yet able to read such files: https://github.com/golang/crypto/blob/master/ssh/keys.go#L878-L880

@EtienneM
Copy link
Member

Oh no... It's just that our code calls ssh.ParsePrivateKey instead of ParsePrivateKeyWithPassphrase if needed

@EtienneM EtienneM changed the title [Db-tunnel] Encrypted key with new OpenSSH header for private keys seems to be broken Encrypted key with new OpenSSH header for private keys seems to be broken Aug 29, 2019
@EtienneM
Copy link
Member

The issue is that we fail to detect the key is encrypted. We check this like that: strings.Contains(p.Block.Headers["Proc-Type"], "ENCRYPTED"). The golang.org/x/crypto/ssh does the same thing so it's probably how we should handle that. But the header in my case is empty:

TYPE: "OPENSSH PRIVATE KEY"
HEADERS: map[string]string{}

@Soulou
Copy link
Member Author

Soulou commented Aug 29, 2019

Actually it's because this Proc-Type header is only present in the old format.

With the new format, there is no PEM header to re at all.

@EtienneM
Copy link
Member

EtienneM commented Dec 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants