[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authenticate with pki


Hi John... I've hit this before myself.

You need to call ssh_pki_copy_cert_to_privkey(pubKey, privateKey) after ssh_pki_import_privkey_base64() and before ssh_userauth_publickey() to add the public key certificate to the private key before authenticating.

Hope that helps!
Jeremy.

-----Original Message-----
From: John Dunn <John.Dunn@xxxxxxx> 
Sent: Tuesday, May 4, 2021 2:11 PM
To: libssh@xxxxxxxxxx
Subject: Authenticate with pki

This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


I am having difficulties authenticating using pki. I have a private/public key pair that allows me to authenticate with a server via

        ssh -i <path_to_priv_key> <user>@<host>

The private key is password protected so I am prompted for the password but beyond that I am able to connect without any user interaction. I'm trying to replicate the same functionality using libssh using the following code

void connect_via_ssh(
  const char* host,
  int port,
  const char* user,
  const char* path_to_pub,
  const char* path_to_priv,
  const char* priv_pass
)
{
  ssh_session ssh = ssh_new();
  int verbosity = SSH_LOG_FUNCTIONS;
  long timeout = 30;
  ssh_options_set(ssh, SSH_OPTIONS_HOST, host);
  ssh_options_set(ssh, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
  ssh_options_set(ssh, SSH_OPTIONS_PORT, &port);
  ssh_options_set(ssh, SSH_OPTIONS_USER, user);
  ssh_options_set(ssh, SSH_OPTIONS_TIMEOUT, &timeout);

  int rc = ssh_connect(ssh);
  ssh_key key = NULL;

  rc = ssh_pki_import_pubkey_file(path_to_pub, &key);
  if (rc != SSH_OK)
  {
    printf("Error ssh_pki_import_pubkey_file\r\n");
    return;
  }

  rc = ssh_userauth_try_publickey(ssh, NULL, key);
  ssh_key_free(key);
  if (rc != SSH_AUTH_SUCCESS)
  {
    printf("ssh_userauth_try_publickey : %s\r\n", ssh_get_error(ssh));
    exit(0);
  }

  rc = ssh_pki_import_privkey_file(path_to_priv, priv_pass, NULL, NULL, &key);
  if (rc != SSH_OK)
  {
    printf("Error ssh_pki_import_privkey_file\r\n");
    return;
  }

  rc = ssh_userauth_publickey(ssh, NULL, key);
  if (rc != SSH_AUTH_SUCCESS)
  {
    printf("ssh_userauth_publickey : %s\r\n", ssh_get_error(ssh));
    return;
  }
  // create channel, etc...
}

Everything works fine until the call to ssh_userauth_publickey - that returns SSH_AUTH_DENIED. I've verified the exact same keypair can be used with ssh so I'm guessing I'm missing a step in my code. Here are the last lines of debug output. Any suggestions would be appreciated.

John

[2021/05/04 14:05:27.896286, 2] ssh_pki_import_privkey_base64:  Trying to decode privkey passphrase=true
[2021/05/04 14:05:27.896286, 2] ssh_pki_openssh_import:  Opening OpenSSH private key: ciphername: aes256-cbc, kdf: bcrypt, nkeys: 1
[2021/05/04 14:05:27.897285, 3] pki_private_key_decrypt:  Decryption: 32 key, 16 IV, 16 rounds, 16 bytes salt
[2021/05/04 14:05:27.997018, 3] ssh_key_algorithm_allowed:  Checking ssh-ed25519 with list <ssh-ed25519-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss>
[2021/05/04 14:05:27.997455, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2021/05/04 14:05:27.997455, 3] packet_send2:  packet: wrote [type=50, len=208, padding_size=9, comp=198, payload=198]
[2021/05/04 14:05:27.997455, 4] ssh_socket_pollcallback:  Poll callback on socket 744 (POLLOUT ), out buffer 0
[2021/05/04 14:05:27.998455, 4] ssh_socket_pollcallback:  sending control flow event
[2021/05/04 14:05:27.998455, 4] ssh_packet_socket_controlflow_callback:  sending channel_write_wontblock callback
[2021/05/04 14:05:28.008735, 4] ssh_socket_pollcallback:  Poll callback on socket 744 (POLLIN ), out buffer 0
[2021/05/04 14:05:28.009231, 3] ssh_packet_socket_callback:  packet: read type 51 [len=48,padding=11,comp=36,payload=36]
[2021/05/04 14:05:28.009231, 3] ssh_packet_process:  Dispatching handler for packet type 51
[2021/05/04 14:05:28.009231, 1] ssh_packet_userauth_failure:  Access denied for 'publickey'. Authentication that can continue: publickey,keyboard-interactive
[2021/05/04 14:05:28.009231, 2] ssh_packet_userauth_failure:  Access denied for 'publickey'. Authentication that can continue: publickey,keyboard-interactive ssh_userauth_publickey : Access denied for 'publickey'. Authentication that can continue: publickey,keyboard-interactive



Follow-Ups:
RE: Authenticate with pkiJohn Dunn <John.Dunn@xxxxxxx>
References:
Authenticate with pkiJohn Dunn <John.Dunn@xxxxxxx>
Archive administrator: postmaster@lists.cynapses.org