[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authenticate with pki

Subject: Re: Authenticate with pki
From: Jakub Jelen <jjelen@xxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Wed, 5 May 2021 18:45:09 +0200
To: libssh@xxxxxxxxxx

On 5/4/21 11:10 PM, John Dunn wrote:

I am having difficulties authenticating using pki. I have a private/public key pair that allows me to authenticate with a server via

	ssh -i <path_to_priv_key> <user>@<host>

The private key is password protected so I am prompted for the password but beyond that I am able to connect without any user interaction. I'm trying to replicate the same functionality using libssh using the following code

void connect_via_ssh(
   const char* host,
   int port,
   const char* user,
   const char* path_to_pub,
   const char* path_to_priv,
   const char* priv_pass
)
{
   ssh_session ssh = ssh_new();
   int verbosity = SSH_LOG_FUNCTIONS;
   long timeout = 30;
   ssh_options_set(ssh, SSH_OPTIONS_HOST, host);
   ssh_options_set(ssh, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
   ssh_options_set(ssh, SSH_OPTIONS_PORT, &port);
   ssh_options_set(ssh, SSH_OPTIONS_USER, user);
   ssh_options_set(ssh, SSH_OPTIONS_TIMEOUT, &timeout);

   int rc = ssh_connect(ssh);
   ssh_key key = NULL;

   rc = ssh_pki_import_pubkey_file(path_to_pub, &key);
   if (rc != SSH_OK)
   {
     printf("Error ssh_pki_import_pubkey_file\r\n");
     return;
   }

   rc = ssh_userauth_try_publickey(ssh, NULL, key);
   ssh_key_free(key);
   if (rc != SSH_AUTH_SUCCESS)
   {
     printf("ssh_userauth_try_publickey : %s\r\n", ssh_get_error(ssh));
     exit(0);
   }

   rc = ssh_pki_import_privkey_file(path_to_priv, priv_pass, NULL, NULL, &key);
   if (rc != SSH_OK)
   {
     printf("Error ssh_pki_import_privkey_file\r\n");
     return;
   }

   rc = ssh_userauth_publickey(ssh, NULL, key);
   if (rc != SSH_AUTH_SUCCESS)
   {
     printf("ssh_userauth_publickey : %s\r\n", ssh_get_error(ssh));
     return;
   }
   // create channel, etc...
}

Everything works fine until the call to ssh_userauth_publickey - that returns SSH_AUTH_DENIED. I've verified the exact same keypair can be used with ssh so I'm guessing I'm missing a step in my code. Here are the last lines of debug output. Any suggestions would be appreciated.

John

[2021/05/04 14:05:27.896286, 2] ssh_pki_import_privkey_base64:  Trying to decode privkey passphrase=true
[2021/05/04 14:05:27.896286, 2] ssh_pki_openssh_import:  Opening OpenSSH private key: ciphername: aes256-cbc, kdf: bcrypt, nkeys: 1
[2021/05/04 14:05:27.897285, 3] pki_private_key_decrypt:  Decryption: 32 key, 16 IV, 16 rounds, 16 bytes salt
[2021/05/04 14:05:27.997018, 3] ssh_key_algorithm_allowed:  Checking ssh-ed25519 with list <ssh-ed25519-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
[2021/05/04 14:05:27.997455, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2021/05/04 14:05:27.997455, 3] packet_send2:  packet: wrote [type=50, len=208, padding_size=9, comp=198, payload=198]
[2021/05/04 14:05:27.997455, 4] ssh_socket_pollcallback:  Poll callback on socket 744 (POLLOUT ), out buffer 0
[2021/05/04 14:05:27.998455, 4] ssh_socket_pollcallback:  sending control flow event
[2021/05/04 14:05:27.998455, 4] ssh_packet_socket_controlflow_callback:  sending channel_write_wontblock callback
[2021/05/04 14:05:28.008735, 4] ssh_socket_pollcallback:  Poll callback on socket 744 (POLLIN ), out buffer 0
[2021/05/04 14:05:28.009231, 3] ssh_packet_socket_callback:  packet: read type 51 [len=48,padding=11,comp=36,payload=36]
[2021/05/04 14:05:28.009231, 3] ssh_packet_process:  Dispatching handler for packet type 51
[2021/05/04 14:05:28.009231, 1] ssh_packet_userauth_failure:  Access denied for 'publickey'. Authentication that can continue: publickey,keyboard-interactive
[2021/05/04 14:05:28.009231, 2] ssh_packet_userauth_failure:  Access denied for 'publickey'. Authentication that can continue: publickey,keyboard-interactive
ssh_userauth_publickey : Access denied for 'publickey'. Authentication that can continue: publickey,keyboard-interactive

This is ssh-ed25519, which should work just fine quite much everywhere.I would check the server debug log for the reason why the key was rejected.


Regards,
--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.

References:
Authenticate with pki	John Dunn <John.Dunn@xxxxxxx>

Archive administrator: postmaster@lists.cynapses.org