[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ssh_userauth_publickey_auto - file name of the key being unlocked


On Thu, 2020-04-23 at 10:47 +0200, Václav Kubernát wrote:
> Hello,
> I'm trying to use ssh_userauth_publickey_auto to authenticate to an
> SSH server. I posted a question on the bug tracker
> (https://bugs.libssh.org/T217) asking if it was possible to specify a
> callback for unlocking a key. I was able to set up the callback.
> However, I found out that the prompt arg the callback gets only reads
> "Passphrase". So, if I want to prompt the user for the password for
> the key, the user doesn't know which key he is supposed to unlock. I
> have already kind of solved the issue by reading and unlocking the
> key
> myself, and injecting the callback's private data with the filename,
> but that meant I had to reimplement most of the "auto" functionality
> myself, which seems like a waste. The code can be seen here:
> https://gerrit.cesnet.cz/c/CzechLight/netconf-cli/+/2286/16/src/cli-netconf.cpp#118.
> 
> What do you think? Is it possible for ssh_userauth_publickey_auto to
> tell me which key it is currently unlocking via the callback? Or if
> not, what approach would you suggest?

Hello,
if the prompt contains only "Passphrase", you are likely unlocking the
key that is in the new OpenSSH format (see
src/pki_container_openssh.c). It is called from function
pki_private_key_decrypt(), which at this moment, does not know the
actual filename, but adding it to the prompt (also from other key
formats) would make sense from my point of view.

It will require some refactoring to get the filename to the prompt, but
it should be doable. Would you like to submit a PR on gitlab [1]?

[1] https://gitlab.com/libssh/libssh-mirror

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.


Follow-Ups:
Re: ssh_userauth_publickey_auto - file name of the key being unlockedVáclav Kubernát <sir.venceslas@xxxxxxxxx>
References:
ssh_userauth_publickey_auto - file name of the key being unlockedVáclav Kubernát <sir.venceslas@xxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org