Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: unable to authenticate if the first private key fails. #60587

Closed
lonnywong opened this issue Jun 3, 2023 · 1 comment
Closed

x/crypto/ssh: unable to authenticate if the first private key fails. #60587

lonnywong opened this issue Jun 3, 2023 · 1 comment
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@lonnywong
Copy link

lonnywong commented Jun 3, 2023
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.20.4 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/lonny/Library/Caches/go-build"
GOENV="/Users/lonny/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/lonny/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/lonny/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.20.4/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.20.4/libexec/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.20.4"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="cc"
CXX="c++"
CGO_ENABLED="1"
GOMOD="/Users/lonny/workspace/test/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/6l/jtqr77ms6rv21hw6ryq6zx3c0000gn/T/go-build1679388757=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Add two private keys, the first one should fail, the second one should succeed.

package main

import (
	"fmt"
	"os"

	"golang.org/x/crypto/ssh"
)

func main() {
	var authMethods []ssh.AuthMethod
	addAuthKey := func(keyFilePath string) {
		keyBytes, err := os.ReadFile(keyFilePath)
		if err != nil {
			fmt.Fprintf(os.Stderr, "failed to read private key file %s: %s\r\n", keyFilePath, err)
			os.Exit(1)
		}
		signer, err := ssh.ParsePrivateKey(keyBytes)
		if err != nil {
			fmt.Fprintf(os.Stderr, "failed to parse private key file %s: %s\r\n", keyFilePath, err)
			os.Exit(1)
		}
		authMethods = append(authMethods, ssh.PublicKeys(signer))
	}

	user := "*** username ***"
	addr := "*** host:port ***"
	addAuthKey("/path/to/id_rsa")  // should fail
	addAuthKey("/path/to/id_ed25519")  // should succeed
	fmt.Printf("auth methods count: %d\r\n", len(authMethods))

	config := &ssh.ClientConfig{
		User:            user,
		Auth:            authMethods,
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

	if _, err := ssh.Dial("tcp", addr, config); err != nil {
		fmt.Fprintf(os.Stderr, "failed to connect to %s: %s\r\n", addr, err)
		os.Exit(1)
	}

	fmt.Printf("successfully connected to %s\n", addr)
}
  • go.mod
module example.com/m/v

go 1.20

require golang.org/x/crypto v0.9.0

require golang.org/x/sys v0.8.0 // indirect
  • go.sum
golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=

What did you expect to see?

Successful connect to the SSH server using the second private key, not the first one.

What did you see instead?

ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain
If I change the order of the two private keys, it succeeds.
@gopherbot gopherbot added this to the Unreleased milestone Jun 3, 2023
@lonnywong
Copy link
Author

My bad, suddenly found that the correct usage should be:

package main

import (
	"fmt"
	"os"

	"golang.org/x/crypto/ssh"
)

func main() {
	var signers []ssh.Signer
	addAuthKey := func(keyFilePath string) {
		keyBytes, err := os.ReadFile(keyFilePath)
		if err != nil {
			fmt.Fprintf(os.Stderr, "failed to read private key file %s: %s\r\n", keyFilePath, err)
			os.Exit(1)
		}
		signer, err := ssh.ParsePrivateKey(keyBytes)
		if err != nil {
			fmt.Fprintf(os.Stderr, "failed to parse private key file %s: %s\r\n", keyFilePath, err)
			os.Exit(1)
		}
		signers = append(signers, signer)
	}

	user := "*** username ***"
	addr := "*** host:port ***"
	addAuthKey("/path/to/id_rsa")  // should fail
	addAuthKey("/path/to/id_ed25519")  // should succeed
	fmt.Printf("signers count: %d\r\n", len(signers))

	config := &ssh.ClientConfig{
		User:            user,
		Auth:            []ssh.AuthMethod{ssh.PublicKeys(signers...)},
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

	if _, err := ssh.Dial("tcp", addr, config); err != nil {
		fmt.Fprintf(os.Stderr, "failed to connect to %s: %s\r\n", addr, err)
		os.Exit(1)
	}

	fmt.Printf("successfully connected to %s\n", addr)
}

@golang golang locked and limited conversation to collaborators Jun 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
2 participants
@gopherbot @lonnywong