[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Authenticate with pki
[Thread Prev] | [Thread Next]
- Subject: RE: Authenticate with pki
- From: Jeremy Cross <JCross@xxxxxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Wed, 5 May 2021 17:20:13 +0000
- To: "libssh@xxxxxxxxxx" <libssh@xxxxxxxxxx>
Hi John... I've hit this before myself. You need to call ssh_pki_copy_cert_to_privkey(pubKey, privateKey) after ssh_pki_import_privkey_base64() and before ssh_userauth_publickey() to add the public key certificate to the private key before authenticating. Hope that helps! Jeremy. -----Original Message----- From: John Dunn <John.Dunn@xxxxxxx> Sent: Tuesday, May 4, 2021 2:11 PM To: libssh@xxxxxxxxxx Subject: Authenticate with pki This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. I am having difficulties authenticating using pki. I have a private/public key pair that allows me to authenticate with a server via ssh -i <path_to_priv_key> <user>@<host> The private key is password protected so I am prompted for the password but beyond that I am able to connect without any user interaction. I'm trying to replicate the same functionality using libssh using the following code void connect_via_ssh( const char* host, int port, const char* user, const char* path_to_pub, const char* path_to_priv, const char* priv_pass ) { ssh_session ssh = ssh_new(); int verbosity = SSH_LOG_FUNCTIONS; long timeout = 30; ssh_options_set(ssh, SSH_OPTIONS_HOST, host); ssh_options_set(ssh, SSH_OPTIONS_LOG_VERBOSITY, &verbosity); ssh_options_set(ssh, SSH_OPTIONS_PORT, &port); ssh_options_set(ssh, SSH_OPTIONS_USER, user); ssh_options_set(ssh, SSH_OPTIONS_TIMEOUT, &timeout); int rc = ssh_connect(ssh); ssh_key key = NULL; rc = ssh_pki_import_pubkey_file(path_to_pub, &key); if (rc != SSH_OK) { printf("Error ssh_pki_import_pubkey_file\r\n"); return; } rc = ssh_userauth_try_publickey(ssh, NULL, key); ssh_key_free(key); if (rc != SSH_AUTH_SUCCESS) { printf("ssh_userauth_try_publickey : %s\r\n", ssh_get_error(ssh)); exit(0); } rc = ssh_pki_import_privkey_file(path_to_priv, priv_pass, NULL, NULL, &key); if (rc != SSH_OK) { printf("Error ssh_pki_import_privkey_file\r\n"); return; } rc = ssh_userauth_publickey(ssh, NULL, key); if (rc != SSH_AUTH_SUCCESS) { printf("ssh_userauth_publickey : %s\r\n", ssh_get_error(ssh)); return; } // create channel, etc... } Everything works fine until the call to ssh_userauth_publickey - that returns SSH_AUTH_DENIED. I've verified the exact same keypair can be used with ssh so I'm guessing I'm missing a step in my code. Here are the last lines of debug output. Any suggestions would be appreciated. John [2021/05/04 14:05:27.896286, 2] ssh_pki_import_privkey_base64: Trying to decode privkey passphrase=true [2021/05/04 14:05:27.896286, 2] ssh_pki_openssh_import: Opening OpenSSH private key: ciphername: aes256-cbc, kdf: bcrypt, nkeys: 1 [2021/05/04 14:05:27.897285, 3] pki_private_key_decrypt: Decryption: 32 key, 16 IV, 16 rounds, 16 bytes salt [2021/05/04 14:05:27.997018, 3] ssh_key_algorithm_allowed: Checking ssh-ed25519 with list <ssh-ed25519-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss> [2021/05/04 14:05:27.997455, 3] ssh_socket_unbuffered_write: Enabling POLLOUT for socket [2021/05/04 14:05:27.997455, 3] packet_send2: packet: wrote [type=50, len=208, padding_size=9, comp=198, payload=198] [2021/05/04 14:05:27.997455, 4] ssh_socket_pollcallback: Poll callback on socket 744 (POLLOUT ), out buffer 0 [2021/05/04 14:05:27.998455, 4] ssh_socket_pollcallback: sending control flow event [2021/05/04 14:05:27.998455, 4] ssh_packet_socket_controlflow_callback: sending channel_write_wontblock callback [2021/05/04 14:05:28.008735, 4] ssh_socket_pollcallback: Poll callback on socket 744 (POLLIN ), out buffer 0 [2021/05/04 14:05:28.009231, 3] ssh_packet_socket_callback: packet: read type 51 [len=48,padding=11,comp=36,payload=36] [2021/05/04 14:05:28.009231, 3] ssh_packet_process: Dispatching handler for packet type 51 [2021/05/04 14:05:28.009231, 1] ssh_packet_userauth_failure: Access denied for 'publickey'. Authentication that can continue: publickey,keyboard-interactive [2021/05/04 14:05:28.009231, 2] ssh_packet_userauth_failure: Access denied for 'publickey'. Authentication that can continue: publickey,keyboard-interactive ssh_userauth_publickey : Access denied for 'publickey'. Authentication that can continue: publickey,keyboard-interactive
RE: Authenticate with pki | John Dunn <John.Dunn@xxxxxxx> |
Authenticate with pki | John Dunn <John.Dunn@xxxxxxx> |